Efficient threat context-aware packet filtering for network protection

ABSTRACT

A threat intelligence gateway (TIG) may protect TCP/IP networks from network (e.g., Internet) threats by enforcing certain policies on in-transit packets that are crossing network boundaries. The policies may be composed of packet filtering rules with packet-matching criteria derived from cyber threat intelligence (CTI) associated with Internet threats. These CTI-derived packet-filtering rules may be created offline by policy creation and management servers, which may distribute the policies to subscribing TIGs that subsequently enforce the policies on in-transit packets. Each packet filtering rule may specify a disposition that may be applied to a matching in-transit packet, such as deny/block/drop the in-transit packet or pass/allow/forward the in-transit packet, and also may specify directives that may be applied to a matching in-transit packet, such as log, capture, spoof-tcp-rst, etc. Often, however, the selection of a rule&#39;s disposition and directives that best protect the associated network may not be optimally determined before a matching in-transit packet is observed by the associated TIG. In such cases, threat context information that may only be available (e.g., computable) at in-transit packet observation and/or filtering time, such as current time-of-day, current TIG/network location, current TIG/network administrator, the in-transit packet being determined to be part of an active attack on the network, etc., may be helpful to determine the disposition and directives that may best protect the network from the threat associated with the in-transit packet. The present disclosure describes examples of methods, systems, and apparatuses that may be used for efficiently determining (e.g., accessing and/or computing), in response to the in-transit packet, threat context information associated with an in-transit packet. The threat context information may be used to efficiently determine the disposition and/or one or more directives to apply to the in-transit packet. This may result in dispositions and/or directives being applied to in-transit packets that better protect the network as compared with solely using dispositions and directives that were predetermined prior to receiving the in-transit packet.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 17/235,544, filed Apr. 20, 2021, entitled “Methods and Systemsfor Efficient Threat Context-aware Packet Filtering for NetworkProtection,” hereby incorporated by reference herein as to its entirety.

FIELD

Aspects described herein generally relate to computer hardware andsoftware and network security. In particular, one or more aspects of thedisclosure generally relate to computer hardware and software forefficient filtering of in-transit packets that determines an action tobe performed (e.g., a disposition and/or a directive) for eachin-transit packet (for example, whether to block or allow eachin-transit packet) depending on the threat context at the time that thein-transit packet is observed. Other aspects and other features are alsodescribed herein.

BACKGROUND

Transmission Control Protocol/Internet Protocol (TCP/IP) networksecurity is becoming increasingly important as the information agecontinues to unfold. Network threats/attacks may take a variety of forms(e.g., unauthorized requests or data transfers, viruses, malware, largevolumes of traffic designed to overwhelm resources, and the like).

To counter these threats and attacks, various cyber defensemethodologies and systems have been developed and deployed. An importantcomponent of cyber defense is the network appliance (e.g., apacket-filtering appliance) that applies sets of packet filtering rulesto in-transit Layer 3/Internet Protocol (L3/IP) packets and determineswhether to allow/forward each packet toward its destination orblock/drop the packet. These packet-filtering appliances may be insertedinline into links located at the boundaries between a private network,such as an enterprise network, and the public Internet and may beconfigured with a set of packet filtering rules, or a policy, that maybe designed to protect or otherwise secure the private network in someway. For example, early-generation network firewalls are typicallyconfigured with packet filtering rules that enforce a private network'saccess control policies, such as which Internet services (i.e.,well-known ports associated with Internet hosts) that internal hosts maybe allowed to access, and conversely which internal resources may beaccessed by which (unsolicited) Internet hosts. For another example,current-generation packet-filtering appliances include threatintelligence gateways (TIGs), which may be configured with packetfiltering rules with packet matching criteria that correspond to thenetwork addresses, e.g., IP addresses, 5-tuple values, domain names,URIs, and the like, of cyber threats that have been identified by cyberthreat intelligence (CTI) providers.

Although there are no required formal standards for packet filteringrule syntax and semantics, packet-filtering appliances typically supportpacket filtering rules that generally conform to this high-level,exemplary representative schema:<disposition><directives><matching-criteria>;<metadata>, where:<disposition> is, for example, one of block/deny/drop (which willgenerally be referred to herein as “block”) or allow/pass/forward (whichwill generally be referred to herein as “allow”) a packet that matchesthe rule; the <matching-criteria> correspond to Internet-layer (L3),transport-layer (L4), and application-layer header field values, such assome combination of source and destination IP addresses, protocol,source and destination ports, domain names, Uniform Resource Identifiers(URIs) such as Uniform Resource Locators (URLs) or Uniform ResourceNames (URNs), and the like; and <metadata> is information associatedwith the rule that may be used to inform applications about the packetand/or rule, for example, the metadata may indicate the source of thematching criteria and may be included in an associated log that may beprocessed by, for example, applications for cyber situational awareness,cyber analysis, cyber defense, cyber network protection, and the like.The <directives> may be signals that direct the operating applicationlogic of the packet-filtering appliance to process a matching packetaccording to the logic associated with the directive. For example, thislogic may be additional packet-processing actions and/orpolicy-processing actions that may be applied to a matching packet(e.g., signaled by directives such as “log”, “flow-log”, “capture”,“mirror”, “re-direct”, “spoof-tcp-rst”, etc.), whether ornot/conditionally to apply the rule upon packet ingress (“in”) or uponpacket egress (“out”) or both (“in out”), whether or not/conditionallyto continue applying subsequent rules in the policy to the matchingpacket (“continue” or “quick”), associating the rule with specificinterfaces of the packet-filtering appliance, etc.

One approach to cyber defense is to filter packets associated withInternet threats, which are Internet hosts and/or resources managed byInternet hosts that may be associated with malicious activity. Thesethreats may be researched and identified by cyber threat intelligence(CTI) provider organizations, which publish CTI reports on the threats.The CTI reports may include threat indicators, which may be networkaddresses in the form of IP addresses, 5-tuples, domain names, URIs, andthe like, associated with Internet hosts and/or resources that may beparticipating in malicious activity. The threat indicators may becollected from multiple CTI provider organizations and used to createsets/policies composed of packet filtering rules with matching criteriathat correspond to the threat indicators. Such packet filtering rulesgenerated from threat indicators are hereafter referred to as “threatindicator rules”, and a set of threat indicator rules comprises a“CTI-based policy” for protecting a network from Internet threats.Packet filtering appliances located at boundaries between networks to beprotected (e.g., private networks) and networks that may not beprotected (e.g., public networks such as the Internet) may be configuredwith these policies and may apply them to all in-transit packetstraversing the boundaries, thereby protecting the private network fromInternet threats by, for example, blocking/dropping packets associatedwith the threats. Because a gateway is an interface at a boundarybetween two different networks, such as between a CTI-protected networkand an unprotected network, such packet filtering appliances that areconfigured with CTI-based policies and logic to enforce the policies maybe called Threat Intelligence Gateways (TIGs).

Although this CTI-based cyber defense approach may appear to bestraightforward, for several reasons it is not. One reason is that thethreat risk associated with a threat indicator may not be deterministicin the sense that, for example, an in-transit packet with a header fieldvalue that matches a threat indicator may not necessarily be associatedwith malicious activity and instead may be associated with legitimatebusiness activity or with some benign activity. For example, a websitehosting service may use a single IP address to host multiple domains.One of the domains may be involved in malicious activity whereas theother domains are only involved in legitimate activity. A CTI providermay detect the malicious activity associated with the one maliciousdomain but may publish the single IP address of all of the domains as athreat indicator; furthermore, the CTI provider may assign/associatehigh confidences, high risk scores, recommended dispositions (e.g.,“block”), and/or the like to such threat indicators. Consumers of suchCTI and associated threat indicators may consider it to be undesirable,and may desire to exclude such CTI before applying it. Furthermore, whatis to be excluded may be relative/contextual to a given consumer. Forexample, an enterprise may subscribe to a CTI Provider's threatindicator feeds but may discover that the enterprise's own networkedhosts and resources are listed as threat indicators because, forexample, the hosts may have been compromised by malware and/or maliciousactors.

Thus, when creating a threat indicator rule, the consumer may not selectthe “block” disposition by default, even when the associated CTIprovider may be, for example, recommending “block” with high confidence,because of the possibility of blocking legitimate business traffic. Thismay have the effect of falsely designating a real attack on the networkas a non-threat, thereby potentially allowing, rather than blocking, theattack. Conversely, other more risk-averse consumers may choose not toselect the “allow” disposition (and with packet-processingactions/directives configured to monitor the potential threat) bydefault because of the possibility of allowing malicious traffic thatattacks and damages networked resources, which may be considered a falsenegative. Additionally, there are other reasons that a consumer may beuncertain as to whether to select the “block” or “allow” dispositiondespite a CTI provider's published recommendations, and there are otherreasons that the disposition (block or allow) that may best protect thenetwork may not be readily determined when creating threat indicatorrules comprising a network protection policy that are intended to beapplied to future packets yet to be received.

Accordingly, when the threat risk associated with a threat indicator isuncertain, subjective, and/or probabilistic (e.g., risk probability inthe range of [0, 1]) in nature vs. deterministic, objective, or binary(i.e., an “all risk” risk probability=1 or a “no risk” riskprobability=0) in nature, then it may be problematic to predetermine thedisposition, i.e., “block” or “allow”, for a threat indicator rule.Similarly, it may be problematic to predetermine any directives for thethreat indicator rule, as these directives are often correlated with thedisposition, with the risk associated with the threat indicator, and/orwith other factors.

Thus, there is a need for improvements in network-protective computerlogic and technology associated with the application of threat indicatorrules to in-transit packets traversing boundaries between protectednetworks and public networks such as the Internet. These improvementswould be directed toward improving cyber defenses against Internetthreats.

SUMMARY

The following presents a simplified summary in order to establish abaseline understanding of some aspects of the disclosure. It is intendedneither to identify key or critical elements of the disclosure nor todelineate the scope of the disclosure. The following summary merelypresents some concepts of the disclosure in a simplified form as aprelude to the detailed description below.

According to some aspects as described herein, the determination of adisposition (e.g., “block” or “allow”) of a threat indicator rule aswell as the determination of one or more directives to be applied to anin-transit packet, may be delayed until the in-transit packet has beenobserved that matches the threat indicator rule. Based on observing arule-matching packet (e.g., in response to and/or after receiving orobserving the packet) by a packet filtering appliance, the packetfiltering appliance's logic may efficiently compute, access, and/orotherwise determine threat context information that may not have beenavailable, applicable, or otherwise known at the time the threatindicator rule was created. Such threat context information may be usedas input to logic that determines the disposition, e.g., block or allow,as well as the directives to apply to the in-transit packet. This mayresult in dispositions and/or directives being applied to in-transitpackets that better protect the network as compared with solely usingdispositions and directives that were predetermined prior to receivingthe in-transit packet. Threat context information that may be used todetermine an in-transit packet's disposition and directives may include,for example, the packet observation/filtering time, the location and/oradministrator of the associated packet-filtering appliance, and/orwhether or not the packet is associated with an active attack on theassociated network and/or on other networks connected to the Internet.

Accordingly, at the time that threat indicator rules arecreated/generated, a new disposition may be specified for a threatindicator rule. For purposes of convenience and example only, this newdisposition will be referred to herein as a “protect” disposition,however this new disposition may be assigned any name as desired, suchas “undefined,” “neutral,” “TBD,” and/or any other name as desired.Alternatively, a rule may be assigned no disposition and/or directivesat all (e.g., a null, blank, or missing disposition and/or directive),and based on the missing disposition and/or directive the networkappliance's logic may determine (e.g., compute) a disposition and/or oneor more directives using threat context information associated with theobserved in-transit packet. In further examples, the rule may beassigned a first disposition (e.g., “block,” “allow,” etc.) and/or firstone or more directives, and based on the observed in-transit packet andbased on the threat context information, the network appliance's logicmay determine (e.g., compute) a different second disposition and/or adifferent second one or more directives. In still further examples, arule may be assigned a “block” disposition or an “allow” disposition (orany other disposition), and may also be assigned or otherwise associatedwith an indicator, such as a flag or signal, that indicates that threatcontext information is to be used for that rule at in-transit packetobservation time. An example of such an indicator may be a simpleone-bit flag, for example, where one value of the indicator signals to aTIG or other packet filtering appliance that the assigned disposition iscorrect and another value of the indicator signals to the TIG or otherpacket filtering appliance that the assigned disposition is flexibleand/or that a disposition is to be computed at in-transit packetobservation time. In any of these situations, upon receiving andobserving an in-transit packet that matches a rule indicating nopredetermined disposition (e.g., a rule with a “protect” disposition, ora rule with a missing/blank disposition, or a rule having theabove-discussed indicator), a packet filtering appliance (for example, aTIG) may use threat context information to efficiently compute thedisposition to be actually applied to the packet, for example “block” or“allow”, as well as one or more directives that may best protect thenetwork from the associated threat, and then may apply the computeddisposition and directive(s) to the in-transit packet. The efficientdetermination (e.g., computation) and application of the dispositionand/or directives for the in-transit packet may be completed beforeprocessing/filtering the next in-transit packet and/or before the nextin-transit packet is received by the packet filtering appliance.Accordingly, the computation and application may be sufficientlyefficient such that regardless of packet transmission rates andassociated traffic loads, the in-transit packets may beprocessed/filtered without incurring undue latencies and/or packet dropsthat may otherwise meaningfully affect performance of the associatednetworked applications.

Further aspects described herein are directed to receiving, by apacket-filtering appliance from one or more cyber threat intelligenceproviders, one or more threat indicators; determining a plurality ofpacket-filtering rules associated with the one or more threatindicators; configuring the packet-filtering appliance with theplurality of packet-filtering rules; receiving an in-transit packet;determining that the in-transit packet matches a rule of the pluralityof packet-filtering rules; determining, based on the rule, threatcontext information that was not predetermined before the receiving thein-transit packet; determining a disposition and/or one or moredirectives based on the threat context information; and applying thedisposition and/or one or more directives to the in-transit packet.

Further aspects described herein are directed to receiving, by apacket-filtering appliance from one or more cyber threat intelligenceproviders, one or more threat indicators; determining a plurality ofpacket-filtering rules associated with the one or more threatindicators; configuring the packet-filtering appliance with theplurality of packet-filtering rules; receiving an in-transit packet;determining, based on a rule, of the plurality of rules, that matchesthe in-transit packet, that threat context information is to bedetermined; determining the threat context information, wherein thethreat context information was not predetermined before the receivingthe in-transit packet; determining a disposition based on the threatcontext information; and applying the disposition to the in-transitpacket.

Further aspects described herein are directed to receiving, by apacket-filtering appliance, a plurality of packet-filtering rules,wherein the packet-filtering rules were determined based on a pluralityof threat indicators that were determined based on cyber intelligencereports from a plurality of cyber threat intelligence provider;configuring the packet-filtering appliance with the plurality ofpacket-filtering rules; receiving, from a first network, an in-transitpacket destined to a second network; based on determining that thein-transit packet matches a first packet-filtering rule of the pluralityof packet-filtering rules, determining threat context information;determining, based on the threat context information, a disposition; andapplying the disposition to the in-transit packet. Non-limiting examplesof the threat context information may include one or more of any of thefollowing: in-transit packet observation time, appliance location and/orappliance identifier/ID, administrator and/or associated security policypreferences, type of network being protected and/or type of networkassociated with the in-transit packet, active threat or active attacktype associated with the in-transit packet, an indication of whether thein-transit packet is a member of an active multi-packet, multi-flowattack (and/or information about such an attack), flow origination ofthe in-transit packet, flow direction of the in-transit packet, flowstate of the in-transit packet, flow connection state of the in-transitpacket, global threat context, domain name associated with (e.g.,identified by) the in-transit packet, popularity of the domain name,registration status of the domain name, URI associated with thein-transit packet, data transfer protocol method associated with (e.g.,identified by) the in-transit packet, protocol risk associated with thein-transit packet, and/or contextual CTI noise, etc.

Further aspects described herein are directed to receiving, by apacket-filtering appliance, a plurality of packet-filtering rules,wherein the packet-filtering rules were determined based on a pluralityof threat indicators that were determined based on cyber intelligencereports from a plurality of cyber threat intelligence provider;configuring the packet-filtering appliance with the plurality ofpacket-filtering rules; receiving, from a first network, an in-transitpacket destined to a second network; based on determining that thein-transit packet matches a first packet-filtering rule of the pluralityof packet-filtering rules, wherein the first packet-filtering ruleindicates no predetermined disposition to be applied to a matchingpacket, determining threat context information; determining, based onthe threat context information, a disposition; and applying thedisposition to the in-transit packet. The threat context information maybe based on various information available after the in-transit packet isobserved, for example being based on an observation time of thein-transit packet. Non-limiting examples of the threat contextinformation may include one or more of any of the following: in-transitpacket observation time, appliance location and/or applianceidentifier/ID, administrator and/or associated security policypreferences, type of network being protected and/or type of networkassociated with the in-transit packet, active threat or active attacktype associated with the in-transit packet, an indication of whether thein-transit packet is a member of an active multi-packet, multi-flowattack (and/or information about such an attack), flow origination ofthe in-transit packet, flow direction of the in-transit packet, flowstate of the in-transit packet, flow connection state of the in-transitpacket, global threat context, domain name associated with (e.g.,identified by) the in-transit packet, popularity of the domain name,registration status of the domain name, URI associated with thein-transit packet, data transfer protocol method associated with (e.g.,identified by) the in-transit packet, protocol risk associated with thein-transit packet, and/or contextual CTI noise, etc.

Further aspects described herein are directed to determining adisposition and/or a directive (and/or another type of action) in realtime (and/or with low latency) for an in-transit packet, where thein-transit packet matches one or more rules that either include nopredetermined disposition or that include a disposition other than anallow disposition and a block disposition, such as a “protect”disposition, and applying that disposition, directive, and/or other typeof action to the in-transit packet.

Further aspects described herein are directed to determining andapplying a disposition and/or a directive (and/or another type ofaction) for an in-transit packet based on information that is determined(e.g., computed) and/or available (e.g., in real time and/or withrelatively low latency) after the in-transit packet is received and thathas not been determined and/or that was not available prior to receivingthe in-transit packet. The information may be different from (and/ordetermined independently from) information that was received fromanother source (such as a CTI provider) prior to receiving thein-transit packet.

Further aspects described herein are directed to assigning a particularaction such as a particular disposition (such as a protect dispositionor another disposition that is not allow or block) and/or particulardirective to a rule based on a determination that the rule potentiallywould match a desirable packet such as a packet expected to belegitimate. The determination that the rule potentially would match adesirable packet is based on CTI noise exclusion and/or autoimmunityinformation.

Further aspects described herein are directed to performing attackdetection (such as to detect port scan attacks) based on a plurality ofpacket flows (e.g., multi-packet multi-flow attack detection). Forefficiency, an efficient data structure, for example an LRU cache datastructure, and/or an efficient attack packet rate estimator, may be usedto perform the attack detection.

Further aspects described herein are directed to using global threatcontext information to determine a disposition and/or a directive of anin-transit packet. The global threat context information may be based oninformation provided by one or more other TIGs (or other types ofpacket-filtering devices) and that has been collected, integrated,and/or distributed on a subscription basis.

Further aspects described herein are directed to using machine learningto determine a disposition and/or a directive for an in-transit packet.For example, the determining may be implemented efficiently by amachine-learning-configured artificial neural network (ANN) of apacket-filtering device such as a TIG. The ANN may be configured todetermine (e.g., compute) the disposition and/or the directive in realtime after the in-transit packet is received by the TIG and before thenext in-transit packet in the same direction is received by the TIG.

These and other aspects will be described in Detailed Description belowwith reference to the various drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is pointed out with particularity in the appendedclaims. Features of the disclosure will become more apparent upon areview of this disclosure in its entirety, including the drawing figuresprovided herewith.

Some features herein are illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings, in whichlike reference numerals refer to similar elements, and wherein:

FIG. 1 shows an illustrative environment for efficient threat contextaware packet filtering.

FIG. 2 is a flowchart describing a packet filtering appliance'sexemplary use of threat context information associated with activeattacks to compute dispositions and/or directives for in-transitpackets.

FIG. 3 is a flowchart describing a packet filtering appliance'sexemplary use of threat context information associated with activeattacks to compute dispositions and directives for in-transit packets.

FIG. 4 is a flowchart describing exemplary use of threat contextinformation to exclude cyber threat intelligence (CTI) noise and toprevent autoimmunity issues.

FIG. 5 is a flowchart describing exemplary use of global threat contextinformation to compute dispositions and directives.

FIG. 6 shows an exemplary artificial neural network (ANN) that usesthreat context information to efficiently compute disposition(s) anddirectives for in-transit packets.

FIG. 7 shows an example computing device that may be used to implementany of the packet filtering appliances, other devices, systems, andmethods described herein.

FIG. 8 shows an exemplary packet-filtering appliance such as a threatintelligence gateway (TIG).

FIG. 9 is an example timing diagram in accordance with aspects describedherein.

FIG. 10 is another example timing diagram in accordance with aspectsdescribed herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the disclosure. In addition, reference is made to particularapplications, protocols, and embodiments in which aspects of thedisclosure may be practiced. It is to be understood that otherapplications, protocols, and embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the disclosure.

Various connections between elements are discussed in the followingdescription. These connections are general and, unless specifiedotherwise, may be direct or indirect, wired or wireless, physical orlogical (e.g., virtual or software-defined), in any combination. In thisrespect, the specification is not intended to be limiting.

An important component of cyber defense is packet-filtering appliancesthat apply sets of packet filtering rules to in-transit L3/IP packetscrossing a network boundary and determine whether to allow/forward eachpacket toward its destination or block/drop the packet, i.e., todetermine the packet's disposition. In the present context, anin-transit packet may be, for example, an L3/IP packet with a source IPaddress that corresponds to a host that is upstream from thepacket-filtering appliance and with a destination IP address thatcorresponds to a host that is downstream from the packet-filteringappliance. These network appliances may be inserted inline into linkslocated at the boundary between a private network, such as an enterprisenetwork, and the public Internet and may be configured with a set ofpacket filtering rules that is designed to protect or otherwise securethe private network in some way. These (inline) network appliances mayalso be configured such that their network interfaces may not have L3/IPaddresses and/or L2/MAC addresses, which may be called aBump-in-the-Wire (BITW) configuration, and in virtual environments,physical BITW configurations may be emulated by virtual BITWconfigurations. Accordingly, the set of packet filtering rules defines a(network security) policy, and the network appliance enforces thepolicy. U.S. Provisional Patent Application Ser. No. 63/071,174, filedAug. 27, 2020 and entitled “Methods and Systems for EfficientVirtualization of Inline Transparent Computer Networking Devices,” ishereby incorporated by reference for its disclosure of how physical BITWconfigurations may be emulated by virtual BITW configurations.

For example, early-generation network firewalls and edge routers may beconfigured with packet filtering rules that enforce a private network'saccess control policies, such as which Internet services that internalhosts are allowed to access, and conversely which internal resources andservices may be accessed by which (unsolicited) Internet hosts. TheInternet services and internal resources and services may be identifiedby their IP addresses, Transmission Control Protocol/User DatagramProtocol (TCP/UDP) ports, and/or protocol types; accordingly, the packetfiltering rules' matching criteria often correspond to the packets'5-tuple values, i.e., the (L3) source and/or destination IP addressvalues, and/or (L4) source and/or destination port values, and/or (L3)Protocol value (IPv4) or Next Header value (IPv6). Access controlpolicies and their associated packet filtering rules are often static inthe sense that the rate of change for the access-control policies/rulesis sufficiently low such that humans may manually manage them.Similarly, the number of rules in a typical policy is sufficiently smallsuch that humans may manually manage them.

For another example, and referring to FIG. 1, which shows arepresentative network environment 100 for the present disclosure, oneor more current-generation packet-filtering appliances, such as threatintelligence gateways (TIGs) 120 a, 120 b, 120 c, may be configured withpacket filtering rules. Where any arbitrary one of these TIGs 120 a, 120b, 120 c are referred to herein, or where they are referred tocollectively, they will be referred to herein as simply TIG 120 or TIGs120. Moreover, the references herein to TIGs is merely an example; allreferences herein to TIGs will be understood to also be applicable toother types of packet filtering appliances. The packet filtering rulesmay identify packet matching criteria that correspond to the networkaddresses and/or identifiers, e.g., IP addresses, 5-tuple values, domainnames, URIs, etc., or indicators, of cyber threats that may have beenidentified by cyber threat intelligence providers (CTIPs) 140 inassociated cyber threat intelligence (CTI) reports. CTIPs 140 maycontinually identify Internet threats, create threat intelligencereports on the threats, determine indicators associated with thethreats, and publish (e.g., stream) lists, or feeds, of the threatindicators. Indicators may identify specific Internet hosts and/orspecific resources managed by Internet hosts. Subscribers to these feedsmay be, for example, security policy management servers/services (SPMSs)150 that may continually/repetitively: consume multiple different feedsfrom multiple different CTIPs 140; aggregate the associated indicators(which may number in the millions) by, for example, removing duplicatesand resolving address range overlaps; create sets of packet filteringrules (i.e., policies) with packet matching criteria corresponding tothe threat indicators, with rule metadata corresponding to the CTIP(s)140 and feed(s) that supplied the indicators (as well as otherassociated information about the threat, for example, threat/attacktype, confidence, risk score, recommended disposition, and the like),with dispositions of either “block” or “allow”, and with directives to,for example, log and/or flow-log matching packets, capture matchingpackets, etc.; and publish the policies to subscribers. The subscribersmay be or may control/administrate packet-filtering appliances (e.g.,threat intelligence gateways (TIGs) 120) that may be located at theboundary of and may comprise an interface, or gateway, between privatenetworks (e.g. 102, 104, . . . 108) that are protected by threatintelligence and public networks such as the Internet 110 that may notbe protected by threat intelligence, and that may receive the policiesand then enforce the policies by applying the policies to networktraffic (e.g., in-transit packets) that may pass through the TIGs 120.

Because of the volume and dynamics of CTI supplied by CTIPs 140 (e.g.,in aggregate, many millions of threat indicators that are continuallyupdated and published at a high rate, for example, hourly or evencontinually as a stream), policy creation and associated threatindicator rule construction (by, for example, an SPMS 150) is often anautomated process. Accordingly, the selection of a disposition and oneor more directives for each threat indicator rule is often performedautomatically. Thus, the selection of a “block” disposition or an“allow” disposition may be determined automatically before arule-matching packet is observed by a TIG 120 and therefore withoutfactoring in any threat context that may be associated with the packet(for example, time, location, operating environment, current (local andglobal) threat situation, policies of the operator/administrator of theTIG and associated (private) network, etc., of the observation).Furthermore, in practice, because of the uncertainty of threat risk, the“allow” disposition is often selected by default instead of “block” sothat legitimate traffic will not be blocked—even when, for example, theCTIP 140 may recommend a “block” disposition with high confidence. Also,different subscribers, for example, different enterprises, may havedifferent policies/requirements regarding selection of “block” vs.“allow” and associated directives, and these policies/requirements maychange over time. The possible adverse result of pre-determiningdispositions and directives at policy creation time is that the networkprotections from threats/attacks may be significantly diminished.

The present disclosure describes ways for improving network protectionsby, for example, computing the best dispositions and directives to beapplied to rule-matching in-transit packets for protecting the networkat the time that the rule-matching in-transit packets are actuallyobserved/filtered by a TIG 120. At packet observation/filtering time,the TIG 120's logic uses current threat context information to computethe matching rule's disposition and directives that may be applied tothe observed in-transit packet. The threat context information mayinclude, for example: local threat context information, for exampleinformation that may be stored in the TIG's 120 memory (e.g., mainmemory) and/or in one or more efficient data structures, that may bereadily available to the TIG 120 and/or readily accessible by the TIG120 and/or efficiently computed by the TIG 120 (e.g.,time-of-day/observation time; active attacks that the packet may beassociated with; threat context information associated with the matchingrules, etc.); and/or global threat context information, for exampleglobal threat situation and awareness information on threats/attacksthat may be actively or recently occurring on other networks besides thenetwork being protected by the (local) TIG 120, that may be collectedand distributed for example by a Global Threat Context System/Servicecomposed of one or more Global Threat Context Servers (GTCS) 170. Toreduce the chance of the TIG 120 detrimentally affecting networkperformance (either at all or by more than an acceptable amount), it maybe desirable that the threat context information be available,accessible, computable, and/or otherwise determined for an in-transitpacket by the TIG 120 at such a speed (and efficiency) that the threatcontext information can be determined (and possibly applied) before thenext in-transit packet is received by the TIG 120 or before the nextin-transit packet is processed by the TIG 120. For example, if packetsare received at a rate of X packets per second, then it may be expectedthat the TIG 120 is able to analyze each incoming packet and determineits associated threat context information in a timeframe of less than orequal to 1/X seconds per packet. It may further be desirable that theTIG 120 is additionally able to determine (e.g. compute) the packet'sdisposition and/or one or more directives within that same 1/Xtimeframe. In support of these high processing speeds, and as will bedescribed herein, it may therefore be desirable that any informationrelied upon by the TIG 120 to formulate the threat context informationin real time (for example, by a scheduled deadline corresponding to the1/X timeframe) for an already-received in-transit packet may be readilyand efficiently accessible. For example, the information relied upon toformulate the threat context information may already be local to the TIG120 and/or in a remote location that is quickly accessible on demand andin real time and with relatively low latency. As will also be describedherein, example processing structures that may be particularly suited tosuch high-speed complex decision-making (to process the threat contextinformation and/or to calculate a disposition and/or one or moredirectives) may be (bounded) artificial neural networks, data structureswith logarithmic-time or constant-time complexity, work-efficient orwork-optimal parallel processing algorithms and associated structures,and the like. However, other timeframes (e.g., greater than 1/X) andother processing structures may be used as appropriate or desirable forthe situation.

During operation, and referring to the example of FIG. 1, communicationsvia a public network such as the Internet 110 may occur between hostsconnected to the private networks 102, 104, . . . 108, which may beprotected by TIGs 120 enforcing network protection policies, and hostsconnected to the networks 130, 132, . . . 138 that may be associatedwith threats. Note that hosts connected to the TIG-protected privatenetworks 102, 104, . . . 108 may also be associated with threats (forexample, a host may have been compromised by malicious actors), and thatany host connected to any network may communicate with any other hostsconnected to any other networks. The threat hosts may be associated withthreat indicators that may be known to CTIPs 140. Accordingly, the TIGs120 may be enforcing policies that include packet-filtering rulesderived from the threat indicators, for example, packet-filtering ruleswith matching criteria that correspond to the threat indicators.

When an in-transit packet ingresses a TIG 120 and matches a packetfiltering rule, the TIG applies the rule's disposition, for example ablock disposition (e.g., block or drop) or an allow disposition (e.g.,allow or forward), to the packet, and also applies the logic associatedwith the rule's directives to the packet, such as “log”, “flow-log”,“capture”, “spoof-tcp-rst”, etc. A rule's directives may be correlatedto the disposition. For example, a “spoof-tcp-rst” directive, which maygenerate/spoof a TCP RST packet to terminate the associated TCPconnection, may only be used with a “block” disposition (and only if theL4/transport-layer protocol is TCP). If “spoof-tcp-rst” is a directivein a rule with an “allow” disposition, then the associated TCPconnection may be terminated, which is likely not desired behavior andmay even be interpreted as an attack. For another example, for a rulewith a “block” disposition, it may or may not be desirable to have a“capture” directive or even a “log” directive, depending on threatcontext. For example, consider a TIG observing a typical port scanattack on the protected network, which may generate hundreds ofthousands or even millions of TCP SYN packets at rates of hundreds of orthousands of packets per second. If a matching “block” rule includes a“capture” directive, then each TCP SYN packet comprising the port scanattack will be captured, which may use on the order of 100 MB of storagebut which has little or no value to cyberanalysts who may beinvestigating the attack. Similarly, if the matching “block” ruleincludes a “log” directive, then each TCP SYN packet composing theattack will be logged, which may use even more storage space than the“capture” directive. A cyberanalyst may only need to observe a few ofthe many packet logs to sufficiently understand the attack in order todetermine an effective protective/defensive/remedial action. Conversely,there are other types of attacks, for example, some types of advancedpersistent attacks (APTs), which may match a “block” rule but for whicheach captured and/or logged packet may provide much value tocyberanalysts investigating the attack. In any case, without additionalcontext, it may be problematic and/or inefficient to pre-determine ruledispositions and directives before matching packets are observed andtherefore without the current threat context (when or after thein-transit packet is received) to guide the selection of dispositionsand directives.

Furthermore, for some threats/attacks, the best disposition anddirectives may change during the lifetime of the threat/attack inresponse to changes in the threat context. Consider, for example, atypical port scan attack on a network that may be protected by a TIG 120of the present disclosure, which may include logic for (efficiently)detecting port scan attacks as they are occurring. A typical port scanattack may send many TCP SYN packets at a high rate from the same originIP address toward many different ports on each (public) IP address ofthe target network. Suppose the port scan attack detection logicincludes a packet arrival rate threshold which, when crossed, may switchthe associated threat context between “no active attack” and “activeattack”. Computing a packet arrival rate involves observing at least two(arriving/received) packets, and for a given port scan attack, more thantwo packets may be observed before the threshold may be crossed, whichmay cause the threat context to change. Thus, at or near the beginningof a port scan attack, the best disposition may be “allow” forassociated packets that arrive before the threshold is crossed andtherefore when the threat context is “no active attack”; but then thebest disposition may change to “block” after the threshold is crossedand the threat context changes to “active attack”. When the packetarrival rate falls below the threshold, then the threat context maychange to “no active attack” and the best disposition may change to“allow”.

Accordingly, the present disclosure describes a new disposition, whichwill be referred to herein as the “protect” disposition, and associatedTIG 120 logic associated with the “protect” disposition. At the timethat threat indicator rules are created/generated, for example, when aCTI-based policy is being created automatically by an SPMS 150, the“protect” disposition may be specified for a rule as an alternative to“block” or “allow”. Upon later observing an in-transit packet thatmatches a rule with a “protect” disposition, a TIG 120 may use threatcontext information to determine (for example, compute) the in-transitpacket's disposition, for example “block” or “allow”, and the associateddirectives that best protect the network from the associated threat. Thedetermined disposition may then be applied to the in-transit packet.Thus, such an in-transit packet's disposition may be undefined (e.g.,unknown) before and until the packet is observed in transit. Moreover,such an in-transit packet's disposition may remain undefined (e.g.,unknown) during a time period from when the TIG 120 has determined thatthe observed in-transit packet satisfies a rule having the “protect”disposition and until the in-transit packet's disposition issubsequently determined based on the threat context information. Thename “protect” for this disposition is merely an example; thisdisposition may be assigned any name as desired. Other non-limitingexamples of names that may be used for this disposition include“defend,” “guard,” “undefined,” “undetermined,” “null,” “flexible,”“TBD,” “other,” “3,” “ABC,” etc. Regardless of the name, thisdisposition may be indicative of a state in which threat contextinformation is to be used, in response to an observed in-transit packet,to determine (e.g., compute) the actual disposition to be applied to thein-transit packet. By way of example only, such a disposition,regardless of the actual assigned name, will be referred to herein as a“protect” disposition.

For example, the TIG 120 logic may determine that, even though theobserved in-transit packet matched a threat indicator rule (e.g., with a“protect” disposition), the computed disposition to be applied to thatin-transit packet is “allow” because, for example, the in-transit packetis determined to be associated with legitimate business communications,or benign communications, or low-risk communications (and then possiblymonitored, e.g., logged and captured, for subsequent cyber analysis);or, even with the threat context information, there is still muchuncertainty about the threat, and thus the in-transit packet andassociated communications may be allowed but monitored and tracked tosupport subsequent cyber analysis. Note that in practice, the total timeneeded to (a) access or compute any threat context information, (b)compute/select the disposition and directives to apply, and (c) applythe computed/selected disposition and directives to the currentin-transit packet should be sufficiently short relative to packettransmission rates such that in-transit packets are not dropped by thepacket filtering appliance (because of, for example, in-transit/arrivalpacket buffer overflows), which may cause violations of the“transparency rule” of RFC 2979. Conventional packet transmission ratesmay be measured in millions or tens of millions of packets per second ona single link. This means that threat context information computationsshould be highly efficient and may have, for example, constant-time(i.e., O(1)) or logarithmic-time (i.e., O(log N)) complexities. Notealso that persons skilled in the art may expect that: (1) packetfiltering rules follow the general schema and associated syntax andsemantics described above, which may be similar to, for example, theschema of iptables or BSD PF; (2) the rules in a policy are searched inthe spatial order that they appear in the policy file, i.e., from thetop/head of the file to the bottom/tail of the file; (3) a TIG's 120application of packet filtering rules is stateless (for example,memoryless) in the sense that: (a) each in-transit packet is filteredthrough the policy in arrival order and has a disposition determined andapplied to it before the next in-transit packet in arrival order isfiltered through the policy (and has a disposition determined andapplied to it); and (b) the disposition, e.g., block or allow, appliedto a packet is not dependent on, or correlated with, the dispositionapplied to any preceding in-transit packet or on the disposition appliedto any succeeding in-transit packet; and (4) the packet-filteringappliance/TIG 120 is “transparent” with respect to packet transmissionin that (a) packets egress the appliance in the same order that theyingressed the appliance; and (b) latency added by the appliance isnegligible, for example, the additional latency is a (small) fraction of(for example, one or more orders of magnitude smaller than) theend-to-end packet transmission time between the host endpoints,associated applications are not affected by the latency, and packets arenot dropped because of internal buffer overflows (for example, theappliance behaves like a wire, or a “bump-in-the-wire” (BITW), withrespect to packet transmission). Persons skilled in the art may refer tofiltering a packet, without regard to how another packet is filtered, as“stateless” packet filtering. RFC 2979 “Behavior of and Requirements forInternet Firewalls”, RFC 2544 “Benchmarking Methodology for NetworkInterconnect Devices”, and the like, may formalize some of thesepotential properties of packet-filtering appliances that persons skilledin the art may expect/assume.

For an in-transit packet that matches a threat indicator rule, examplesof threat context information that (a) may be factored into the TIG's120 decision logic for selecting a disposition and directives that bestprotect the network (hereafter, “decision logic”), and (b) may beefficiently accessed and/or otherwise determined (e.g., computed) by theTIG 120 in response to an in-transit packet being observed (or otherwiseafter the in-transit packet is observed), may include but are notlimited to one or more of the following, alone or in any combination orsubcombination:

Packet Observation Time: The time that the in-transit packet is observed(for example, when the in-transit packet is received, or when thein-transit packet is determined to match a rule, or when the in-transitpacket is read) by the packet filtering appliance (e.g., TIG 120). Forexample, the packet observation time may be the local time of day(and/or day of week, date, month, season, etc.) that the in-transitpacket is observed by the TIG 120. Moreover, the packet filteringappliance such as the TIG 120 may determine whether or not theobservation time of the in-transit packet by the TIG 120 occurs within apredetermined time period (which may have been predetermined prior toobserving the in-transit packet), such as during normal business hours,weekends, holidays, and/or any other desired time period, associatedwith the TIG 120 and/or with the owner/operator/administrator of the TIG120, e.g., an enterprise. For example, the TIG 120 may determine theobservation time of an in-transit packet matching a rule, determinewhether the in-transit packet observation time is within a predeterminedtime period, determine (e.g., compute) the in-transit packet'sdisposition and/or one or more directives based on the rule and/or basedon whether the in-transit packet observation time is determined to bewithin a predetermined time period (e.g., disposition 1 (e.g., allow orblock) if within the predetermined time period, and a differentdisposition 2 (e.g., block or allow) if not within the predeterminedtime period), and then that determined disposition and/or directive(s)may be applied by the TIG 120 to the in-transit packet, wherein thedisposition and/or one or more directives may be determined and/orapplied prior to the next in-transit packet being observed. As anotherexample, the TIG 120 may determine the in-transit packet observationtime, determine (e.g., compute) the in-transit packet's dispositionand/or one or more directives based on the rule and/or based on thein-transit packet observation time (e.g., disposition 1 (e.g., allow orblock) or a different disposition 2 (e.g., block or allow)), and thenthat determined disposition and/or directive(s) may be applied by theTIG 120 to the in-transit packet, wherein the disposition and/or one ormore directives may be determined and/or applied prior to the nextin-transit packet being observed;

Appliance Location and/or Appliance Identifier/ID: The location of thepacket filtering appliance (e.g., TIG 120) that observed the in-transitpacket. Location may be, for example: geopolitical location (e.g., whichcountry, state, region, etc.); time zone; network location (e.g., at anetwork boundary or peering point, inside or outside an enterprisesecurity stack/network firewall, etc.). Appliance ID may be used on itsown (without applicant location) or to disambiguate between multipleappliances operating at the same or similar appliance location. Forexample, in response to observing an in-transit packet that matched arule, a packet filtering appliance such as the TIG 120 may determine thelocation and/or identifier of itself and determine (e.g., compute) thedisposition and/or one or more directives to be applied to thatin-transit packet based on the rule, the location, and/or theidentifier, and then apply that disposition and/or directive(s) to thatin-transit packet, wherein the disposition and/or one or more directivesmay be determined and/or applied prior to the next in-transit packetbeing observed. For example, if the location and/or identifier is afirst location and/or first identifier, then the disposition and/ordirective(s) for that in-transit packet may comprise a first disposition(e.g., block or allow) and/or a first directive, and if the locationand/or identifier is a different second location and/or different secondidentifier, then the disposition and/or directive(s) for that in-transitpacket may comprise a different second disposition (e.g., allow orblock) and/or a different second directive;

Administrator and/or associated security policy preferences: Theenterprise or organization that owns, operates, administrates, orotherwise controls the packet filtering appliance (e.g., TIG 120) thatobserved the in-transit packet and/or its associated network. Forexample, different enterprises may have different corporate securitypolicies regarding threat indicators. For example, one enterprise X mayconsider a given threat indicator to be a significant threat, whereasanother enterprise Y may consider the same threat indicator to below-risk or benign. For example, enterprise X may be subject to US ITARcompliances/restrictions whereas enterprise Y may not; or, enterprise Xmay allow communications with anonymizing networks like Tor whereasenterprise Y may not. For example, combinations of (public) IP addressesand ports (and associated services) that the enterprise intends to beopen/available to unsolicited Internet communications. Furthermore, anenterprise may, over time, change its security policy regarding a giventhreat indicator. For example, a packet filtering appliance such as theTIG 120 may, in response to observing an in-transit packet that matchesa rule, determine an administrator of the TIG 120 and/or a securitypolicy preference (e.g., of the administrator). The TIG 120 maydetermine (e.g., compute) a disposition and/or one or more directives tobe applied to that in-transit packet based on the rule, based on theadministrator of the TIG 120, and/or based on the security policypreference, and then apply that disposition and/or directive(s) to thatin-transit packet, wherein the disposition and/or one or more directivesmay be determined and/or applied prior to the next in-transit packetbeing observed;

Network Type: The type of network associated with the packet filteringappliance (e.g., TIG 120) observing the in-transit packet (e.g., aprivate network, public network (Internet), LAN, WAN, etc.). Forexample, a packet filtering appliance such as the TIG 120 may, inresponse to observing an in-transit packet that matches a rule,determine a type of network associated with (e.g., protected by) the TIG120. The TIG 120 may determine (e.g., compute) a disposition and/or oneor more directives to be applied to that in-transit packet based on therule and/or the type of network, and then apply that disposition and/ordirective(s) to that in-transit packet, wherein the disposition and/orone or more directives may be determined and/or applied prior to thenext in-transit packet being observed;

Active Threat/Attack Type: The type of active threat/attack that theobserved in-transit packet may be associated with (e.g., port scan,portsweep, exfiltration, distributed denial of service (DDoS), spam,phishing, malware, etc.). See FIG. 3 and associated description belowfor an exemplary process for protecting networks by using this type ofthreat context information and the methods of the present disclosure.For example, a packet filtering appliance such as the TIG 120 may, inresponse to observing an in-transit packet that matches a rule,determine an active threat/attack type that the observed in-transitpacket is associated with. The TIG 120 may determine (e.g., compute) adisposition and/or one or more directives to be applied to thatin-transit packet based on the rule and/or the active threat/attacktype, wherein the disposition and/or one or more directives may bedetermined and/or applied prior to the next in-transit packet beingobserved;

Whether a Packet is a Member of an Active Multi-Packet, Multi-FlowAttack: Determining whether the packet is a member of an activemulti-packet, multi-flow attack, by performing attack detection (such asto detect port scan attacks) based on a plurality of packet flows (e.g.,multi-packet multi-flow attack detection). For efficiency, an efficientdata structure, for example an LRU cache data structure and/or anefficient attack packet rate estimator, may be used to perform theattack detection. See, for example, the flow chart of FIG. 3. Forexample, a packet filtering appliance such as the TIG 120 may, inresponse to observing an in-transit packet that matches a rule,determine whether the in-transit packet is a member of an active attacksuch as an active multi-packet multi-flow attack. The TIG 120 maydetermine (e.g., compute) a disposition and/or one or more directives tobe applied to that in-transit packet based on the rule and/or based onwhether the in-transit packet is a member of such an active attack, andthen apply that disposition and/or directive(s) to that in-transitpacket, wherein the disposition and/or one or more directives may bedetermined and/or applied prior to the next in-transit packet beingobserved;

Multi-packet, Multi-flow Threat/Attack Analysis Results: Some systemsanalyze one or more (bi-directional) flows to determine threats and/orattacks associated with the one or more flows composed of one or moreobserved in-transit packets. Examples of such systems (which will bereferred to herein generally as “threat analysis systems”) includeIntrusion Detection/Prevention Systems (IDS/IPS), Network BehaviorAnalysis (NBA) systems, and the like. The analysis results, or output,of such threat analysis systems may be threat context information thatmay be used by the packet filtering appliance to compute the dispositionand directives for an in-transit packet. The analysis results may beaccessed efficiently by, for example, the packet filtering appliancemaintaining a flow-tracking table indexed by hashes of the 5-tuplevalues that (uniquely) characterize each observed flow. Any threatanalysis results/outputs associated with a flow may be posted in a flowtracking table. To check if an in-transit packet has any threat contextbased on these analysis results, the hash of the in-transit packet's5-tuple values may index into the flow tracking table to access threatanalysis results, if any, for the flow associated with the in-transitpacket. Hashing and indexing may be done efficiently, for example withconstant-time O(1) complexity using well-known algorithms. For example,a packet filtering appliance (e.g., the TIG 120) may observe anin-transit packet that matches a rule, and determine whether thatobserved in-transit packet is part of a flow associated with analysisresults posted by, e.g., an IDS (for example, by comparing a hash of thein-transit packet's 5-tuple value with the indices of a flow trackingtable to determine the in-transit packet's flow, and determining whetherthat determined flow is associated with any analysis results). Based onthe rule and/or based on whether the in-transit packet's flow isassociated with an analysis result, the TIG 120 may determine (e.g.,compute) a disposition and/or one or more directives to be applied tothe in-transit packet, wherein the disposition and/or one or moredirectives may be determined and/or applied prior to the next in-transitpacket being observed. For example, if it is determined that thein-transit packet's flow is associated with an analysis result, then afirst disposition and/or a first one or more directives are determinedand applied, and if it is determined that the in-transit packet's flowis not associated with an analysis result, then a different seconddisposition and/or a different second one or more directives aredetermined and applied. As another example, if it is determined that thein-transit packet's flow is associated with a first analysis result,then a first disposition and/or a first one or more directives aredetermined and applied, and if it is determined that the in-transitpacket's flow is associated with a different second analysis result,then a different second disposition and/or a different second one ormore directives are determined and applied;

Flow Origination and/or Direction: Whether the flow associated with theobserved packet originated from a public network (e.g., the Internet) orfrom within the private/protected network, and/or the packet'sdirection. For example, a packet filtering appliance such as the TIG 120may, in response to observing an in-transit packet that matches a rule,determine whether the flow associated with the in-transit packetoriginated from a public network (e.g., the Internet) or from within theprivate/protected network, and/or the packet's direction. The TIG 120may determine (e.g., compute) a disposition and/or one or moredirectives to be applied to that in-transit packet based on the ruleand/or based on whether the flow associated with the in-transit packetoriginated from a public network (e.g., the Internet) or from within theprivate/protected network, and/or based on the in-transit packet'sdirection, and then apply that disposition and/or directive(s) to thatin-transit packet, wherein the disposition and/or one or more directivesmay be determined and/or applied prior to the next in-transit packetbeing observed;

Flow State and/or Connection State: For example, whether or not the flowassociated with the observed in-transit packet successfully establisheda TCP connection, the current number of transmitted bytes for the flow,etc. For example, a packet filtering appliance such as the TIG 120 may,in response to observing an in-transit packet that matches a rule,determine a flow state and/or a connection state associated with theobserved in-transit packet. The TIG 120 may determine (e.g., compute) adisposition and/or one or more directives to be applied to thatin-transit packet based on the rule, the flow state, and/or theconnection state, wherein the disposition and/or one or more directivesmay be determined and/or applied prior to the next in-transit packetbeing observed;

Global Threat Context: For example, global threat situation andawareness information on threats/attacks that may be actively orrecently occurring on other networks besides the network being protectedby the (local) TIG 120. Context information associated withthreats/attacks that are concurrently attacking networks distributedbroadly and globally across the Internet, for example, a portsweepattack. See the description associated with FIG. 5 for an example of howglobal threat context may be used by the TIG 120 to efficientlydetermine (e.g., compute) a disposition and/or one or more directivesfor an observed in-transit packet. For example, the packet filteringappliance (e.g., the TIG 120) may observe an in-transit packet thatmatches a rule, determine whether the in-transit packet is associatedwith an attack that may be occurring elsewhere (e.g., on one or morenetworks other than the local network protected by the TIG 120), anddetermine (e.g., compute) a disposition and/or one or more directivesbased on the rule and/or based on whether the in-transit packet isassociated with such an attack, wherein the disposition and/or one ormore directives may be determined and/or applied prior to the nextin-transit packet being observed;

Domain name and/or URI (e.g., URL or URN) threat characteristics: Anydomain name and/or URIs contained in the observed packet may displaylexical and/or syntactic characteristics that may indicate threat risk.For example: a large percentage of URL-encoded characters in a URI isoften correlated with attacks; and domain names that are randomlygenerated alphanumeric strings or otherwise not well correlated withhuman language words, for example, English language words; etc. Thelatter (i.e., correlation with human language words) may be efficientlycomputed using, for example, information entropy measures. For example,a packet filtering appliance such as the TIG 120 may, in response toobserving an in-transit packet that matches a rule with matchingcriteria that is not a URI, determine a URI (e.g., a URL or a URN)contained in the observed in-transit packet, and may determine whetherthe URI is associated with a threat. The TIG 120 may determine (e.g.,compute) a disposition and/or one or more directives to be applied tothat in-transit packet based on the rule and/or the URI (e.g., based onwhether the URI is determined to be associated with a threat), whereinthe disposition and/or one or more directives may be determined and/orapplied prior to the next in-transit packet being observed;

Domain name popularity: The popularity (e.g., current popularity) of adomain name (as measured by, for example, a rate (e.g., an average rate)of DNS requests for resolving the domain) that may be observed in thein-transit packet. Generally/heuristically, the less popular a domainname, the more threat risk may be associated with it. Databases ofdomain name popularity data and associated services are readily andpublicly available. The domain popularity data may be stored locally inefficient data structures and may be quickly/efficiently accessed by TIGlogic for use as threat context information. For example, a packetfiltering appliance such as the TIG 120 may, in response to observing anin-transit packet that matches a rule, determine a domain name containedin the in-transit packet, and may determine a popularity of the domainname. The TIG 120 may determine (e.g., compute) a disposition and/or oneor more directives to be applied to that in-transit packet based on therule and/or the domain name (e.g., based on the popularity of the domainname), wherein the disposition and/or one or more directives may bedetermined and/or applied prior to the next in-transit packet beingobserved;

Domain name registration status: Domain names that are contained in theobserved in-transit packet but are not registered in DNS may be attackvectors. DNS-registered domain names data may be stored locally inefficient data structures and quickly/efficiently accessed by TIG logicfor use as threat context information. For example, a packet filteringappliance such as the TIG 120 may, in response to observing anin-transit packet that matches a rule, determine a domain name containedin the in-transit packet, and may determine a registration status of thedomain name. The TIG 120 may determine (e.g., compute) a dispositionand/or one or more directives to be applied to that in-transit packetbased on the rule and/or the domain name (e.g., based on theregistration status of the domain name), wherein the disposition and/orone or more directives may be determined and/or applied prior to thenext in-transit packet being observed. U.S. Patent ApplicationPublication No. 2020/0351245-A1, filed as U.S. patent application Ser.No. 16/399,700 on Apr. 30, 2019, and U.S. Patent Application PublicationNo. 2020/0351244-A1 filed as U.S. patent application Ser. No. 16/692,365on Nov. 22, 2019, are both hereby incorporated by reference for theirteachings of examples of how to efficiently determine whether a domainname is registered in DNS

Data transfer protocol methods: An observed packet matching a threatindicator and containing certain data transfer protocol methods, forexample the PUT, POST, or CONNECT method requests of Hypertext TransferProtocol (HTTP), may be indicative of a malicious data transfer and thusmay be threat context information used as input to the TIG logic. Forexample, a packet filtering appliance such as the TIG 120 may, inresponse to observing an in-transit packet that matches a rule,determine a data transfer protocol method associated with (e.g.,identified by) the in-transit packet. The TIG 120 may determine (e.g.,compute) a disposition and/or one or more directives to be applied tothat in-transit packet based on the rule and/or the data transferprotocol method, wherein the disposition and/or one or more directivesmay be determined and/or applied prior to the next in-transit packetbeing observed;

Protocol Risk: Some (application-layer) protocols associated with theobserved packet may be insecure or readily abused by malicious actors.For example, Telnet, SSLv2 and SSLv3, and older versions of TLS areknown to be insecure. For example, a packet filtering appliance such asthe TIG 120 may, in response to observing an in-transit packet thatmatches a rule, determine a protocol (such as an application-layerprotocol) associated with (e.g., identified by) the in-transit packet.The TIG 120 may determine (e.g., compute) a disposition and/or one ormore directives to be applied to that in-transit packet based on therule and/or the protocol, wherein the disposition and/or one or moredirectives may be determined and/or applied prior to the next in-transitpacket being observed; and/or

Contextual CTI Noise: In some cases, threat indicators in CTI that maybe generally/globally considered to be associated with actual threatsinstead may be considered to be associated with legitimate, (very) lowrisk, and/or benign communications by some locations/administrativedomains. Such indicators are referred to herein as “CTI noise”.Depending on local context, such indicators may be excluded from the CTIused to protect networks by some administrative domains. For example, insome scenarios, the public/WAN IP addresses assigned to theboundary/interface between a private network X and the Internet may beincluded in globally distributed CTI as threat indicators. These threatindicators may correspond to actual threats for many/most subscribersbut may correspond to legitimate traffic for the private network X.Therefore, the administrators of private network X may want to excludethese indicators from the CTI used to protect private network X. Suchactions are referred to herein as performing CTI noise exclusion. Thus,these indicators are threat context information for private network Xthat may be factored into the logic of any TIG(s) protecting privatenetwork X to effect CTI noise exclusion. For example, a packet filteringappliance such as the TIG 120 may, in response to observing anin-transit packet that matches a rule, determine whether a threatindicator associated with the in-transit packet is to be excluded (e.g.,is determined to be included in a CTI noise data set). The TIG 120 maydetermine (e.g., compute) a disposition and/or one or more directives tobe applied to that in-transit packet based on the rule and/or based onwhether the threat indicator is to be excluded, wherein the dispositionand/or one or more directives may be determined and/or applied prior tothe next in-transit packet being observed. For example, if the threatindicator is determined to be excluded, the disposition may bedetermined to be “allow,” and if the threat indicator is determined notto be excluded (e.g., not included in the CTI noise data set), thedisposition may be determined to be “block.” See FIG. 4 and associateddescriptions below for an explanation of how this threat contextinformation may be used to compute dispositions and directives that bestprotect networks from threats/attacks.

Additional information may be used to help compute the dispositionand/or directive(s) of an in-transit packet. Examples of such additionalinformation include, and are not limited to:

CTI Provider(s) and/or associated information: The CTI provider orproviders that supplied the threat indicator for the matching threatindicator rule, as well as any associated information such as the CTIfeed name/identifier and associated information, threat/attacktype(s)/categories associated with the threat indicator, recommendeddisposition, measures of quality, confidence, riskpotential/probability, threat/risk type and/or category, quantity and/oridentities of the CTI provider(s) that provided the threat indicator,etc., of the CTI provided by the Provider, and the like. Suchinformation may be included in the <metadata> of a threat indicator ruleand may be used as input to the TIG 120 logic when a rule-matchingin-transit packet is observed. Note that when this information may beincluded in rule <metadata> at rule creation time, it may be availablebefore a matching in-transit packet is observed/filtered; therefore, itmay not be strictly considered threat context information by itself. Itmay, however, be combined with threat context information by the logicthat determines an observed in-transit packet's disposition and/ordirectives to provide, for example, context for the threat contextinformation;

Threat Indicator Type and/or Fidelity: The fidelity of a threatindicator is correlated to the type of the threat indicator, which maybe one of, for example (and listed in order of decreasing fidelity),URL/URI, fully qualified domain name (FQDN), domain name, 5-tuple, IPaddress, subnet address range, etc. Threat indicators may also includecertificates and certificate authorities that may be used to securecommunications, for example, TLS-secured communications. Indicators withan indicator type value of “URL/URI” may have the highest fidelity,because a URL maps to a single networked (malicious) resource (e.g., amalware executable file), i.e., there is no uncertainty regarding thethreat risk/maliciousness of an indicator of type URL/URI. Whereasthreat indicators with an indicator type value of “FQDN” have lowerfidelity than “URL/URI” because a single FQDN can map to multiple URLs,or multiple networked resources, some portion of which may benon-malicious. Thus, there may be some uncertainty regarding the threatrisk/maliciousness of an indicator of type FQDN. Similarly, threatindicators with an indicator type value of “IP address” have lowerfidelity than “FQDN” because a single IP address can map to multipledomains/FQDNs, some portion of which may be non-malicious. For example,domain hosting services often have many domains associated with a singleIP address, and it may be the case that only a few/small percentage ofthe domains are associated with threat activity. As with CTI Providerinformation described above, threat indicator type and fidelityinformation may be included in rule <metadata> at rule creation time;therefore, it may not be strictly considered threat context informationby itself. It may, however, be combined with threat context informationby the logic that determines an in-transit packet's disposition anddirectives; and/or

Threat Indicator Age: In general, recently identified threat indicatorsmay be considered to have higher threat risk than older threatindicators. Indicator age may be included in the rule <metadata> orassociated with local efficient data structures containing, for example,recently registered domain names that may be accessed by the TIG logicwhen an observed in-transit packet contains a domain name. As with CTIProvider information described above, threat indicator age informationmay be included in rule <metadata> at rule creation time; therefore, itmay not be strictly considered threat context information by itself. Itmay, however, be combined with threat context information by the logicthat determines an in-transit packet's disposition and directives.

Any of the above threat context information and/or other information, inany combination or subcombination, as well as other types of threatcontext information that may not be listed above, may be efficientlyaccessed and/or otherwise determined (e.g., computed) by the TIG 120,and used by the TIG 120 logic to determine a disposition and/or one ormore directives for an in-transit packet observed by the TIG 120.

As explained above, to signal a packet filtering appliance (e.g., TIG120) to use threat context information to compute a disposition anddirectives for an observed in-transit packet, a new disposition(referred to herein by way of example as a “protect” disposition) may beadded to the packet filtering rule syntax/schema. For example, a threatindicator 12.34.56.00/24 (i.e., a subnet address prefix covering therange of Internet Protocol version 4 (IPv4) addresses [12.34.56.00,12.34.56.255]) may be supplied by a CTI Provider 140 with anintelligence report that associates the subnet address range12.34.56.00/24 with some malicious activities, including port scanning;however, there also may be legitimate traffic associated with12.34.56.00/24. Thus, an enterprise may want to block any maliciousactivity but allow the legitimate activity (e.g., in case it is businessactivity). But with this single threat indicator and a conventionalpacket filtering appliance (i.e., without the threat context informationprocessing capabilities of the present disclosure), an enterpriseseeking to protect its network has to choose between enforcing a rule“block log 12.34.56.00/24”, thereby risking loss of legitimate businesscommunications, or enforcing a rule “allow log 12.34.56.00/24”, andthereby risking business damage from cyberattacks.

As explained throughout this disclosure, with a threat context-enabledpacket filtering appliance (e.g., TIG 120) of the present disclosure,the enterprise instead may protect its network from an unprotectedresource (e.g., from an unprotected network such as public network 110).The threat context-enabled packet filtering appliance may do so usingone or more rules such that in response to determining that one or moreof those rules applies to an observed in-transit packet, the threatcontext-enabled packet filtering appliance may determine threat contextinformation associated with the in-transit packet; determine (e.g.,compute) such as by using logic associated with the one or more rules,based on the threat context information, a disposition and/or one ormore directives; and apply the computed disposition and/or one or moredirectives to the in-transit packet. Moreover, the determining thedisposition and/or directives (and potentially also the applying thedisposition and/or directives) may be efficiently completed before thenext in-transit packet is received by (e.g., observed by) the threatcontext-enabled packet filtering appliance. For example, consider a rule“protect 12.34.56.00/24”. The TIG 120 logic associated with the rule maybe configured, for example, as “If a matching packet for this rule isobserved during normal business hours [or some other timeframe], then‘allow, log, and capture’. If a matching packet for this rule isobserved outside of normal business hours and the packet may beassociated with a current port scanning attack, then ‘block and log’. Inthis example, the in-transit packet observation time, the outcome of acomparison of “normal business hours” with the in-transit packetobservation time, and the determination of whether the observedin-transit packet is associated with a current port scanning attack, mayeach be threat context information that was not available to the TIG 120prior to the in-transit packet being observed by the TIG 120. Other TIG120 logic may apply, based on one or more matching rules, any othertype(s) of threat context information in any other combinations orsubcombinations, as desired.

The directives that are determined and applied by threat context-awarepacket filtering appliances may be of any relevant type. For example,threat context-aware logging directives may be used that further improvethe efficiency and effectiveness of CTI-based cyber analysis anddefense. Conventional logging directives may be used, including, forexample, a basic “log” directive, which creates a log for a singlepacket, and a “flow-log” directive, which aggregates logs of packetsfrom the same flow (i.e., the same bidirectional 5-tuple) into a singlelog for the flow. In the context of CTI-driven network protection, whichmay use logs for improving network protections, these basic packet logand flow log directives may, in some scenarios, be both ineffective andinefficient. For example, a typical port scan attack on an enterprisenetwork boundary may comprise many thousands or millions of packets in arelatively short amount of time, generating a log for each packet.Furthermore, because each packet in a port scan attack may have adifferent 5-tuple flow characteristic, flow logging may notsignificantly reduce the number of logs and/or the volume of log data.Thus, log directives may be implemented that, for example, collectstatistical/aggregate/cumulative data on correlated packets (e.g.,packets comprising the same port scan attack) and produce a single logfor many packets and/or flows in such a way that the single log for theattack is much more effective for cyber analysis and defense than themany packet logs and/or flow logs that would have been generatedotherwise. Similarly, log directives that are designed for specificcyber attacks, such as the example port scan attack described above, maybe implemented that produce a single log for an attack incident that hashigh information value for cyber analysis and defense. Examples of suchlog directives are described in U.S. Provisional Patent Application Ser.No. 63/106,166, filed Oct. 27, 2020 and entitled “Methods and Systemsfor Efficient Adaptive Logging of Cyber Threat Incidents,” herebyincorporated by reference for its disclosure of the above-mentioned logdirectives. These log directives may be determined (e.g., computed)based on any or all of the threat context information collected orotherwise determined by the TIG 120 for one or more of the observedin-transit packets.

With so many potential sources and types of threat context informationand the many possible combinations, it may become impractical for humansto design accurate and efficient decision logic. In this scenario, anddepending upon the data speed, TIG capacity, and/or other factors,machine learning may be desirable or even necessary to design some orall of the decision logic. For example, a machine-learned artificialneural network may be created that has a plurality of input nodes thatcorrespond to sources of threat context information and to informationderived from the in-transit packet being filtered, and a plurality ofoutput nodes that correspond to the dispositions and the directives tobe applied to the in-transit packet. The neural network may be createdin such a way, for example as a bounded-depth classifier, that thedecision logic is highly efficient (e.g., has constant-time complexity).In addition to or as an alternative to artificial neural networks, othermachine learning algorithms and methodologies may be used to design thedecision logic, for example, evolutionary algorithms, geneticalgorithms, genetic programming, and the like.

Persons of ordinary skill in the art may appreciate that in someembodiments of the present disclosure, the “protect” disposition may betreated as a procedure call by the TIG application logic and accordinglymay be parameterized with variables in order to, for example, specifydefault values for disposition and directives, and/or specify whichthreat context information may be used to compute dispositions anddirectives, and the like. For example, “protect(disposition=“allow”,directives=“log, capture”, threat-context::“port-scan-attack,time-of-day”) may signal the TIG application logic to compute thedisposition and directives by using the threat context informationassociated with port scan attack detection logic and with the currenttime-of-day (which may correspond to the observation time of thein-transit packet). Furthermore, the default values for disposition anddirectives may be used if, for example, the TIG logic for computing thedisposition and directives is non-determinate, which may occur, forexample, if the TIG may be executing a version of the application logicthat may not support the specified threat context logic. Also, the TIGapplication logic may treat the dispositions “block” and “allow” asprocedure calls that may implicitly execute logic that may transparentlyuse some threat context information to cause useful/desirable sideeffects when the “block” or “allow” operation is applied to the packet.A concrete example of such logic is described below in association withFIG. 4.

As an example of using multiple types and combinations of threat contextinformation that may only be available at the time, location, andenvironment of in-transit packet observation to compute dispositions anddirectives for an in-transit packet, consider the following: A majorissue associated with protecting networks using cyber threatintelligence (CTI) that may be addressed by using the threat contextfiltering methods of the present disclosure is handling port scanattacks (as well as some attacks with similar characteristics as portscan attacks, for example, portsweep attacks, some DDoS attacks such asreflected spoofed attacks, etc.). In a typical port scan attack, amalicious actor may use a port scanner application to search thetarget/victim network for any services that may be “open”, i.e.,services accessible by Internet hosts at L3 (IP) and acceptingconnections at L4 (TCP), and thus potentially exploitable or attackable.Persons skilled in the art may refer to such malicious activity as(cyber) reconnaissance. For each public IP address of the targetnetwork, for example, the 256 contiguous IP addresses forming a /24 IPv4subnet address block, there are potentially 48K well-known or registeredports that may be open. For example, an enterprise may host itspublic-facing web server on port 80 (the well-known port for HTTPservice) and/or port 443 (the well-known port for HTTP Secure (HTTPS))of a public IP address assigned to the enterprise. A port scannertypically sends a TCP SYN handshake flag to a given {IP address, port}pair. If the {IP address, port} responds with TCP SYN-ACK handshakeflags, then the port scanner knows the {IP address, port} pair is“open”, i.e., accepting (unsolicited) TCP connection requests. Thisinformation may then be used to attack or otherwise exploit the serviceassociated with the open port. During a typical attack on a targetnetwork, the port scanner may send hundreds or even thousands of TCPSYNs per second to different {IP address, port} pairs over a period ofseveral minutes.

To evade attribution, for example, the malicious actor may compromise anotherwise legitimate host computer or computers connected to anotherwise legitimate enterprise network, for example network 130 of FIG.1, and install a port scanner program on the host computer(s). To avoidnotice and/or mitigate any adverse effects of the attack on the businessoperations of the target, the malicious actor may also launch a portscan attack during the non-business hours of the enterprise thatoperates the target network.

A CTI Provider or Providers 140 may determine that a (compromised) hostcomputer, for example host C, connected to network 130, is a source ofport scan attacks and/or other malicious activity, and may include theone or more IP addresses associated with host C in the CTI feeds that itpublishes to subscribers. For example, host C may be assigned one ormore public IP addresses associated with the boundary of network 130 andthe Internet 110. For example, the ISP for network 130 may allocate theIPv4 subnet address range 22.22.22.00/24 to network 130, and a networkaddress translation (NAT) device at the boundary may temporally assignany of the 256 IPv4 addresses in 22.22.22.00/24 to host C when host C isperforming Internet communications, including when host C is conductingport scan attacks. Thus, a CTI Provider may include one or more IPaddresses from 22.22.22.00/24 as threat indicators in one or more CTIfeeds, and/or may include the subnet address prefix 22.22.22.00/24 as asingle threat indicator in one or more CTI feeds.

During policy construction, and for systems that are not enabled withthe methods/technology of the present disclosure, it is often the casethat such CTI/threat indicators are transformed into packet filteringrules with “allow” disposition (and with “quick”, “log”, and/or“flow-log” directives) instead of “block” disposition. This is becauseenterprises that protect their networks with such CTI and associatedpacket filtering rules may not want to risk blocking/dropping legitimatebusiness traffic, especially during normal business hours. Thus, theenterprise may detect such port scan attacks (because of the “log”and/or “flow-log” directives and associated log analysis/threatawareness applications), but the malicious actor's mission is achieved(e.g., the open ports may be known by and associated services may becharacterized by the malicious actor). Additionally, the associated logsgenerated by the port scan attack may flood/overwhelm any loganalysis/threat awareness applications and associated resources (e.g.,compute resources, storage, network bandwidth, and/or cyberanalystsoperating the applications).

FIG. 2 is a flowchart describing a packet filtering appliance's (such asa TIG 120) exemplary use of threat context information associated withactive attacks to compute dispositions and/or directives for in-transitpackets. At Step 2-1, the TIG 120 may be configured with threat contextfiltering logic and/or other information that may be used for computingdispositions and/or directives of in-transit packets. This configurationstep may be performed before the TIG 120 goes online in its networkand/or as part of an update after the TIG 120 is already online. As willbe described below, this configuration may comprise traditional threatcontext filtering logic as well as other types of logic such as theconfiguration of an artificial neural network classifier of the TIG 120.

Next, at Step 2-2, SPMS 150 may receive one or more CTI feeds providedby one or more CTIPs 140.

At Step 2-3, SPMS 150 may aggregate the associated threat indicatorsbased on those one or more CTI feeds and create one or more sets ofpacket filtering rules (which may be associated with one or morepolicies) with packet matching criteria corresponding to the threatindicators. The rules in the policies may further be associated withvarious dispositions. For example, at least some of the rules in a givenpolicy may be associated with a “protect” disposition, whereas otherrules in the policy may be associated with “allow” or “block”dispositions. In further examples, the rules may be associated withinformation indicating that a disposition is to be determined atin-transit packet observation time. For example, as discussedpreviously, a rule may have or otherwise be associated with a value(such as a flag) indicating whether the disposition is to be computed atin-transit packet observation time using threat context information. Forexample, a rule may have a field containing a flag, where a flag valueof zero means “use the rule's predetermined disposition” and a flagvalue of one means “compute the rule's disposition at in-transit packetobservation time.” More generally, each rule may be associated with apredetermined disposition that is applied by default at in-transitpacket observation time, or associated with an indication (such as the“protect” disposition, or a null disposition, or the above-describedflag) that the disposition is to be computed at in-transit packetobservation time and/or is not predetermined before the in-transitpacket observation time.

At Step 2-4, SPMS 150 may publish the policies to its subscribers, whichmay include the TIG 120. Thus, the TIG 120 may receive a policy fromSPMS 150, which as mentioned above may include the one or more rulesassociated with the various dispositions. The TIG 120 may, using thereceived policy, self-configure to be able to enforce the policy onfuture observed in-transit packets.

At Step 2-5, the TIG 120 may receive, for example from another networksuch as network 110, the next in-transit packet P. For example, FIG. 9shows a series of in-transit packets P0, P1, etc. being received by theTIG 120. The next-in transit packet P in Step 2-5 may be considered, forexample, to be packet P0 of FIG. 9.

At Step 2-6 of FIG. 2, the TIG 120 may perform a search of its policy(that was received and configured in Step 2-4) to see which rule orrules may match (apply to) the in-transit packet P. If the TIG 120determines that the in-transit packet P matches a rule associated with a“block” or “allow” disposition, and/or is otherwise not indicated asbeing associated with subsequent disposition computation, then the TIG120 may apply that predetermined disposition identified by the rule.This is shown by way of example in FIG. 9, in which the rule matchingmay result in an immediately determined disposition (and/or directive)indicated by a matching rule, and which may be applied to the in-transitpacket P0. If, however, the TIG 120 determines that the in-transitpacket P matches a rule associated with a “protect” disposition orotherwise is associated with an indication that the disposition (and/orother action to be applied to the in-transit packet) is to be computedat in-transit packet observation time and/or is not predetermined beforethe in-transit packet observation time, then Steps 2-7 and 2-8 (FIG. 2)may be performed and the process may return to Step 2-5 to receive thenext packet.

At Step 2-7, in response to the in-transit packet P and/or in responseto the determination that the in-transit packet P matches a ruleassociated with a “protect” disposition (or is otherwise associated withcomputation of disposition at in-transit packet observation time), theTIG 120 may determine threat context information associated within-transit packet P and/or associated with the rule. The determinedthreat context information may include one or more types of threatcontext information, such as any of the types of threat contextinformation described herein (e.g., observation time, appliancelocation, etc.). The TIG 120 may determine (e.g., compute), based atleast in part on the threat context information, a disposition (e.g.,“allow” or “block”) and/or one or more directives (e.g., “log,” “quick,”etc.). The computed disposition and/or directive(s) may be ones that aredetermined to best protect the network associated with the TIG 120(e.g., network 102 associated with TIG 120 a). This is shown by way ofexample in FIG. 9, where if the rule matching process determines thatthe in-transit packet (P0, in this example) matches a “protect”disposition rule or is otherwise associated with computation ofdisposition at in-transit packet observation time, then a disposition, adirective, and/or some other action to be applied to the in-transitpacket may be computed based on threat-context information associatedwith the in-transit packet P0, and the computed disposition, directive,and/or other action may be applied to the in-transit packet P0.

In the example of FIG. 9, the entire process for a given in-transitpacket, from rule matching to computing disposition and/or directive toapplying the computed disposition and/or directive, may all be completedby the TIG 120 prior to the next in-transit packet (P1) being receivedby the TIG 120. However, other timings may be feasible. For example, theprocess up through computing the disposition and/or directive may becompleted prior to the TIG 120 receiving the next in-transit packet P1.As another example, the disposition and/or directive for in-transitpacket P0 may be partially or fully computed prior to the dispositionand/or directive being computed or otherwise determined for the nextin-transit packet P1, even if the disposition and/or directive forin-transit packet P0 may not be applied prior to observing the nextin-transit packet P1. An example of this latter timing is shown in FIG.10. Such timing may work efficiently where, for example, the TIG 120 isable to compute the disposition and/or directive (and/or the applicationof the disposition and/or directive) for an in-transit packet (e.g., P0)simultaneously with (e.g., in parallel with or concurrently with)performing rule matching for the next in-transit packet (e.g., P1). Thistiming may be feasible where, for example, different (and/orindependent) processing resources are used for rule matching as comparedwith the processing resources used for computation of dispositionsand/or directives based on threat context information, and/or wherecomputing the disposition and/or directive for an in-transit packet P0does not interfere with rule matching for the next in-transit packet P1(and vice-versa).

At Step 2-8 of FIG. 2, the TIG 120 may apply the computed dispositionand/or the computed one or more directives to the in-transit packet P.Then, the process may return to Step 2-5 to receive the next packet(e.g., packet P1 of FIG. 9 or FIG. 10). In some examples, the process ofFIG. 2 may be performed one step at a time, in a pipeline processingmanner. In further examples, the process of FIG. 2 may be performedwhere performance of one or more of the steps may overlap in time and/ormay be simultaneous.

The methods and technologies of the present disclosure that factor inthreat context information when computing dispositions and/or directivesat in-transit packet observation time may be used to protect networks inthe above scenarios and/or in other (e.g., similar) scenarios. Forexample, for the above scenarios that include port scan attacks, therelevant threat context information associated with an in-transit packetat observation time may comprise (a) whether or not the packet is partof/comprises an active port scan attack; (b) whether or not theobservation time is during normal business hours; and (c) possibly otherthreat context information, such as which combinations of IP addressesand ports (and associated services) that the enterprise intends to beopen/available to unsolicited Internet communications. For example,suppose an (in-transit) packet P0 matches a rule R0 with a “protect”disposition, and the associated TIG's 120 logic for computing thedisposition and directives factors in the threat context information (a)and (b) listed above. An example of such TIG 120 logic, written inpseudocode as a procedure, may be as follows:

-   -   Compute-Disposition-and-Directives(in packet:P0, out        string:Disposition-and-Directives):        -   IF (Member-Active-Port-Scan-Attack(P0) AND            NOT(Normal-Business-Hours(current-time( ))))        -   THEN Disposition-and-Directives:=“block, log, quick”;        -   ELSE Disposition-and-Directives:=“allow, log, quick”;        -   End Compute-Disposition-and-Directives;

Referring to the above pseudocode, the procedureCompute-Disposition-and-Directives( ) accepts as input the (in-transit)packet named P0 that has matched a “protect” rule associated with CTIand outputs a string Disposition-and-Directives containing the computeddisposition and directives that may be applied to P0 to best protect thenetwork. The Boolean function Member-Active-Port-Scan-Attack(P0)determines if packet P0 is part of an active port scan attack. TheBoolean function Normal-Business-Hours( ) determines if the input time,which is the function call current-time( ) in the exemplary pseudocodeabove, occurs during normal business hours (which may be locallyconfigurable). Overall, the procedure in this example combines multipletypes and values of threat context information that may be availableonly at (and not before) the in-transit packet's observation orfiltering time to compute the disposition and directives that bestprotect the network from the threat associated with an in-transit packetthat has matched a packet filtering rule derived from CTI.

As noted above, when factoring in threat context information into logicfor computing dispositions and/or directives for in-transit packets, itmay be desirable that the threat context information and associated TIGlogic be computed efficiently, for example, that the (time) latencyincurred from threat context information determinations (e.g.,computations) does not adversely affect the packet processingperformance of the packet filtering network appliance (e.g., TIG 120)and thereby cause a violation of the “transparency rule” of RFC 2979.For example, (relatively) high latency may cause in-transit packetbuffers of packet filtering network appliances to overflow and therebymay cause packet drops, which may affect the performance of theassociated networked applications. Referring to the above example, thethreat context information (a) and (b)—i.e., (a) “is the packet a memberof an active port scan attack?,” which may be implemented as thefunction Member-Active-Port-Scan-Attack( ) described above, and (b) “isthe packet's observation time during normal business hours?,” which maybe implemented as the function Normal-Business-Hours( ) describedabove—therefore would be efficiently computed. Persons skilled in theart know how to efficiently compute functions such as(b)/Normal-Business-Hours( ) or other similar time-based functions, forexample, by accessing a timestamp( ) function in the TIG 120 that may beavailable in a software development kit, e.g., the Data PlaneDevelopment Kit (DPDK), that is designed to efficiently processin-transit TCP/IP packets. While accessing a time function that may be asystem call to the TIG's 120 relatively slow operating system kernel mayalso produce this information, this may be a less efficient (and thuspotentially impractical) way of doing so. Persons skilled in the art,however, may not know how to efficiently compute(a)/Member-Active-Port-Scan-Attack( ) and certain functions similar to(a), e.g., how to efficiently compute if a (in-transit) packet is amember of an active port scan attack and/or a member of an active attackthat may be structurally similar to a port scan attack, for example aportsweep attack.

Accordingly, we next describe an example efficient method for computing(a)/Member-Active-Port-Scan-Attack( ) and functions similar to (a). Theexample method includes, for each attack type of interest:

(1) characterizing the structure (e.g., architecture) of the attack typeand the associated information;

(2) identifying the attack information, or key, that may uniquelycharacterize each instance of the attack type and may be used as or maycorrespond to an index into and/or unique identifier of a set of(potential) attack instances, which may be considered elements of theset;

(3) creating an (efficient) set data structure for managing (potential)instances of the attack type, where each distinct instance of the attacktype, or equivalently each element in the set, is identifiedby/associated with its (unique) key. The set data structure may beassociated with at least the operations Insert(key, element), whichinserts a new element identified by key, for example a new (potential)attack instance, into the set, and Member(key), which tests if there isan element already in the set that corresponds to the key. Furthermore,for attack types that are comprised of multiple packets, such as portscan attacks, an additional (Boolean) operation Is-Active-Attack(key)may be associated with the set data structure. For example, for someattacks that may be composed/comprised of multiple packets, a potentialattack instance may not be determined to be an active/actual attackuntil certain multi-packet criteria are met. For example, a potentialport scan attack instance may be determined to be active, i.e., anactual vs. potential attack instance, only after multiple differentports have been scanned and the attack packet rate exceeds a thresholdvalue. Both criteria in this example require that multiple packetsassociated with a (potential) attack instance have been observed; and

(4) configuring and operating the TIG with logic for determining if anin-transit packet is part of, or comprises, an instance of an (active)attack.

For exemplary purposes, the above methodology, which may be applied toport scan attacks, but which may be readily adapted to other types ofattacks, may be described as follows.

As for (1), which is characterizing the structure or architecture andassociated information of a single, distinct instance of a (typical)port scan attack on a target network being protected by a TIG, acharacterization may include:

-   -   Inbound (relative to the TIG and network being protected)        packets containing a TCP SYN flag;    -   Such packets being sourced by/originating from the same Internet        IP address and/or the same (small) subnet address range, for        example the same /24, /28, or /32 IPv4 subnet address prefix;    -   Such packets being destined for multiple different public IP        addresses of the target network and/or being destined for        multiple different ports; and/or    -   Such packets being sent at a rate that exceeds a (heuristic,        configurable, and/or predetermined) threshold, such as ten (10)        such packets per second, although other threshold values may be        used.

Thus, for example, the collection of information that may (efficiently)represent an instance of a (potential) port scan attack may include anyone or more of the following in any combination or subcombination:

-   -   the source IP address or subnet address prefix, which may also        be identified/associated with the key that uniquely        characterizes or represents the attack;    -   the current number of packets comprising the attack;    -   the number of different ports scanned by the attack, and a        (configurable and/or predetermined) threshold value that may        determine that the potential attack may be an active port scan        attack (for example, in practice the threshold value may be        four (4) different ports, although other threshold values may be        used);    -   the number of different destination IP addresses scanned by the        attack;    -   the current rate (e.g., packets per second) of the attack, and a        (configurable and/or predetermined) threshold value that may        determine that the attack may be an active port scan attack, for        example, in practice the threshold value may be ten (10) packets        per second, although other threshold values may be used.        Estimates of current rates may be computed efficiently by using,        for example, logic based on an exponentially weighted moving        average (EWMA) method, or based on an exponential smoothing        method. Exponential smoothing is time and space efficient        because each update to the estimate after each (attack) packet        has been received requires only a constant-time O(1) computation        (typically two multiplications and one addition), and typically        only three values need be stored at any time (for each managed        attack, e.g., for each potential attack in each set data        structure for managing attacks of a given type);    -   a start time of the attack, for example, the observation time of        a particular (e.g., the first) packet comprising the attack;    -   a unique identifier for the (potential) port scan attack        instance;    -   and/or the like.

As for (2), which is identifying the attack information, or key, thatmay uniquely characterize each instance of the attack: For typical portscan attacks, a unique key may be a (inbound TCP SYN) packet's source IPaddress or an associated (small) subnet address range, such as the /24or /28 IPv4 subnet address prefix corresponding to the packet's sourceIP address.

As for (3), which is creating an (efficient) set data structure formanaging (potential) instances of port scan attack, an exemplaryefficient set data structure may be a Least Recently Used (LRU) cache.An LRU cache may be implemented as a (bounded) doubly linked list withan associated hash map for efficiently indexing into the linked list.The elements of the set are instances of potential port scan attacks,that may be represented by the information described above in (1), andthat may be uniquely identified by/associated with the key describedabove in (2). The set operations/functions for a set data structure suchas an LRU cache may include: Insert(key, element), a procedure that mayinsert a new (potential) port scan attack instance, or element,identified by the key into the set of (potential) port scan attacks;Member(key), a function that determines whether or not a (potential)attack, which is uniquely represented/identified by the key, is anelement in the set; and Delete(key), a function that removes theassociated element from the set. For an LRU cache, both Insert( ) andMember( ) may have constant-time complexity, i.e., O(1) complexity, andmay therefore be examples of efficient operations. For a (bounded) LRUcache, the Delete( ) function may also have O(1) complexity but may betransparent/implicit/not exposed because an element is automaticallydeleted from an LRU cache if the associated set has reached its sizelimit and if the element is the oldest, or least recently used (LRU),element in the set. This way, attacks that may have ended, subsided, orotherwise gone dormant may be efficiently removed from the set ofpotential and/or active attacks. For the exemplary case of port scanattacks, for which a single instance may be composed/comprised ofmultiple packets and/or for which multiple packets may be necessary todetermine whether or not an attack instance is currently active, anadditional input parameter named “packet” may be added to both theMember(key, packet) function and the Insert(key, packet, element)procedure associated with the set, with the following examplesemantics/logic:

Member(key, packet) searches the set for an element, for example aninstance of a (potential) port scan attack, that matches the key (forexample, the packet's source IP address). If there is no match (e.g.,there is no element/port scan attack instance in the set that the packetcorresponds to/is associated with), then return FALSE. If there is amatch (e.g., there is an element/port scan attack instance in the setthat the packet corresponds to/is associated with), then (1) integratethe packet with the matching instance, for example: increment thecurrent number of packets comprising the attack; if necessary orotherwise appropriate, update the number of different ports comprisingthe attack; if necessary or otherwise appropriate, update the number ofdifferent destination IP addresses comprising the attack; update thecurrent rate of the attack; etc., and (2) return TRUE. Note that thepacket integration computations may be sufficiently efficient, forexample having O(1) complexity, such that the overall efficiency of thecomputation of the disposition and directives does not decrease;

Insert(key, packet, element) inserts a new (unique) element, for examplea new instance of a (potential) port scan attack, which may beidentified by the key and may be initialized with the packet. Forexample, for the new element/new attack instance: the source IP addressor subnet address range associated with the new attack instance may beset to the key, which may be, for example, the source IP address of thepacket or the corresponding subnet address prefix; the current number ofpackets comprising the attack may be initialized to, e.g., 1; the numberof different ports scanned by the attack may be initialized to, e.g., 1;the number of different destination IP addresses scanned by the attackmay be initialized to, e.g., 1; the current rate may be set to, e.g., 0;the start time of the attack may be set to the current time (e.g., wallclock, local, or using some other time standard); a (unique) identifierfor the port scan attack, which may be automatically generated by alocal or global service; and/or so on.

For managing port scan attacks, the set data structure may also beassociated with a Boolean function Is-Active-Attack(key), which returnsTRUE if the element/attack instance corresponding to the key iscurrently active and returns FALSE if the element/attack instancecorresponding to the key is currently not active (or if there is noelement/attack instance corresponding to the key in the set). Whether aport scan attack is active or not may be determined by, for example,comparing the value of the number of different ports scanned parameterto a (pre-configured) threshold value, e.g., four (4) different portsscanned, and comparing the value of the current rate parameter to a(pre-configured) threshold value, e.g., ten (10) packets per second. Ifboth parameter values exceed (or meet or exceed) their respectivethresholds, then the attack may be considered active; otherwise, theattack may be considered not active.

With efficient implementations of Insert( ) Member( ) andIs-Active-Attack( ) an efficient functionMember-Active-Port-Scan-Attack( ) referenced in the above pseudocode forCompute-Disposition-and-Directives( ) may be described (in pseudocode),for example, as follows:

Boolean Member-Active-Port-Scan-Attack(in packet: P0):

Key key:=Port-Scan-Attack-Key(P0); /* e.g., the source IP address ofpacket P0 */

IF NOT(Member(key, P0)) THEN Insert(key, P0, new element( )); ENDIF;

Return Is-Active-Attack(key); /* end of functionMember-Active-Port-Scan-Attack */

For exemplary purposes, the above function assumes that a set datastructure for managing potential port scan attacks has been initializedby, for example, TIG application logic, and is transparently available.Also, for different types of attacks besides port scan attacks, forexample portsweep attacks, functions similar to the aboveMember-Active-Port-Scan-Attack( ) may be utilized with the appropriateand corresponding sub-functions, data structures, keys, and elements forthe attack type.

Whether or not an attack is determined to be active or not (when thein-transit packet is observed) may be important threat contextinformation for determining the disposition and directives of a packetthat may match a packet filtering rule. FIG. 3 is a flowchart describingan exemplary use of threat context information associated with activeattacks, for example port scan attacks (an example of a multi-packet,multi-flow attack), to compute dispositions and/or directives for anexemplary in-transit packet. The process indicated by the flowchart isdescribed with reference to particular devices (e.g., TIG 120 a),however the process may be performed by, or in communication with, anyother devices (e.g., any of the other TIGs 120).

Referring to FIG. 3: In Step 3-1, TIG 120 a protecting network 102 maybe configured with logic that may use one or more types of threatcontext information to compute dispositions and directives forin-transit packets in order to protect network 102 from threatsassociated with Internet hosts. The threat context information mayinclude, for example: attack detection logic, such as logic fordetecting port scan attacks, portsweep attacks, DDoS attacks, reflectedspoofed attacks, etc.; current time of day, which may be used todetermine the time that an in-transit packet is observed or otherwisereceived, and/or to compare that observed/received time with apredetermined timeframe such as normal business hours; contextinformation specific to the owner/operator of the TIG; and/or the like.Other examples of threat context information are described elsewhere inthis document. In one particular example, TIG 120 a's port scan attackdetection logic may be configured with threshold values of (for example)two (2) for the number of different ports indicating a port scan attack,and ten (10) packets per second for the attack rate. Other thresholdvalues may be used. TIG 120 a's normal business hours may be configuredto be the time interval between (for example) 7 AM and 6 PM (localtime). TIG 120 a also may be configured with a policy received from anSPMS 150 that may contain packet filtering rules with matching criteriacorresponding to threat indicators derived from CTI. One of these threatindicators may correspond to a particular IP address, for example22.22.22.22, of a host connected to a particular network such as network130. The disposition of the rule with matching criterion 22.22.22.22 maybe “protect”, which signals the TIG 120 a to apply logic that factors inthreat context information to compute the disposition and/or directivesto be applied to an in-transit packet.

In a first iteration of Step 3-2, the TIG 120 a receives a first inboundpacket (referred to herein as “P0”) containing a TCP SYN on one of itsInternet interfaces at a particular time, e.g., 3 AM local time (i.e.,03:00:00:00). This packet P0 may have been sent by a particular host,e.g., the host 22.22.22.22, that may have been infected with malware forconducting port scan attacks. Thus, P0's source IP address is22.22.22.22, the destination IP address is 11.11.11.11, which may be apublic IP address associated with network 102, and the destination portis 22 (the well-known port for the Secure Shell (SSH) service). The TIG120 a searches the policy for a rule that matches P0 and finds a rulewith matching criteria 22.22.22.22 and with a “protect” disposition. The“protect” disposition signals the TIG 120 a to use threat contextinformation and associated logic to compute the disposition and/ordirectives that may be applied to the packet (assuming no other matchingrules override the computed disposition).

In a first iteration of Step 3-3, the TIG 120 a logic may determine thatP0 is inbound (relative to network 102) and includes a TCP SYN flag, andbased on this may determine that P0 may be a component of a port scanattack. Accordingly, the logic invokes the procedureCompute-Disposition-and-Directives(P0, new stringdisposition_and_directives). The procedure calls the Boolean functionMember-Active-Port-Scan-Attack(P0), which determines that the packet P0may be the first packet of a new (potential) port scan attack because,for example, it is not a member of an existing (potential) port scanattack (e.g., the subfunction Member(key, P0) returned FALSE).Accordingly, a new element/port scan attack instance is created from P0(by invoking the procedure Insert(key, P0, new element( ))) and isinserted into the local set data structure that manages (potential) portscan attacks. This new element may be populated with initial values thatmay be derived from the initial packet and environment, for example, thekey may be set to or otherwise generated based on 22.22.22.22 (or22.22.22.00/24), the value of the parameter for the current number ofpackets comprising the attack may be initialized to 1, the value of theparameter for the number of different ports scanned by the attack may beinitialized to 1, the value of the parameter for the number of differentdestination IP addresses scanned by the attack may be initialized to 1,the value of the current rate parameter may be set to 0, the start timeof the attack may be set to 3 AM local time (i.e., 03:00:00:00), and soon. It may also be useful to generate a (unique) attack identifier thatmay be associated with this new element/new (potential) attack instance.

In a first iteration of Step 3-4, during theMember-Active-Port-Scan-Attack( ) function call, the value of theparameter for number of different ports scanned by the attack and thevalue of the current rate parameter are compared to their associatedthreshold values. Because neither parameter value exceeds thecorresponding threshold value in this example, the attack is determinedto not be active; thus, the Member-Active-Port-Scan-Attack( ) functionreturns FALSE. Also in the first iteration of Step 3-4, the functionNormal-Business-Hours(03:00:00:00) is called, which returns FALSE. Thus,the logic “(Member-Active-Port-Scan-Attack(P0) ANDNOT(Normal-Business-Hours(current-time( ))))” returns NO/FALSE;therefore, the Disposition-and-Directives string is set to “allow, log,quick”.

Accordingly, in Step 3-5F, the TIG 120 a logic allows/forwards thepacket P0 toward the destination 11.11.11.11, logs the packet, and exitsthe policy search (because of the “quick” directive). Upon completingthe processing of packet P0, the logic program control is returned toStep 3-2 in order to process the next packet arriving at an interface ofTIG 120 a.

In a second iteration of Step 3-2, in this example the TIG 120 areceives a second inbound packet (“P1”) containing a TCP SYN on one ofits Internet interfaces 0.01 seconds after P0 arrived at 3 AM local time(i.e., P1 arrives at 03:00:00:01). This packet P1 may have been sent bythe host 22.22.22.22 that may have been infected with malware forconducting port scan attacks. Thus, P1's source IP address is22.22.22.22, the destination IP address is 11.11.11.11, a public IPaddress associated with network 102, and the destination port is 23 (thewell-known port for the Telnet service). The TIG 120 a searches thepolicy for a rule that matches P1 and finds a rule with matchingcriteria 22.22.22.22 and with a “protect” disposition (for example, thesame rule matched by packet P0 above in the first iteration of Step3-2). The “protect” disposition signals the TIG 120 a to use threatcontext information and associated logic to compute the dispositionand/or directives that may be applied to the packet.

In a second iteration of Step 3-3, the TIG 120 a logic determines thatP1 is inbound (relative to network 102) and includes a TCP SYN flag,which indicates that P1 may be a component of a port scan attack.Accordingly, the logic invokes the procedureCompute-Disposition-and-Directives(P1, new stringdisposition_and_directives). The procedure calls the Boolean functionMember-Active-Port-Scan-Attack(P1), which determines that the packet P1may be a member of an existing (potential) port scan attack (e.g., thesubfunction Member(key, P1) returned TRUE). Accordingly, a side effectof the Member( ) function is to insert/integrate the packet P1 into theelement representing the (potential) port scan attack. For example, thevalue of the parameter for the current number of packets comprising theattack may be incremented by 1 to 2 (representing a total of tworeceived packets associated with the potential attack), the value of theparameter for the number of different ports scanned by the attack may beincremented by 1 to 2 (representing a total of two different portsassociated with the potential attack), the value of the parameter forthe number of different destination IP addresses scanned by the attackremains set to 1 (representing a total of one destination IP addressassociated with the attack), the value of the current rate parameter maybe computed to be 100 (with units of packets per second, because P1arrived 0.01 seconds after P0) (representing a packet rate associatedwith the attack), and so on.

In a second iteration of Step 3-4, during theMember-Active-Port-Scan-Attack( ) function call, the value of theparameter for number of different ports scanned by the attack and thevalue of the current rate parameter are compared to their associatedthreshold values. Because both parameter values match or exceed theircorresponding threshold values, the attack is determined to be active;thus, the Member-Active-Port-Scan-Attack( ) function returns TRUE. Alsoin the second iteration of Step 3-4, the functionNormal-Business-Hours(03:00:00:01) is called, which returns FALSE. Thus,the logic “(Member-Active-Port-Scan-Attack(P1) ANDNOT(Normal-Business-Hours(current-time( ))))” returns YES/TRUE;therefore, the Disposition-and-Directives string is set to “block, log,quick”.

Accordingly, in Step 3-5T, the TIG 120 a logic blocks/drops the packetP1, thereby protecting the network 102 from the (active) port scanattack, logs the packet, and exits the policy search (because of the“quick” directive). Upon completing the processing of packet P1, thelogic program control is returned to Step 3-2 in order to process thenext packet arriving at an interface of TIG 120 a. The process of FIG. 3may be repeated for each subsequent arriving packet.

Note that the above methods for efficiently determining a packet'sthreat context association with port scan attacks may be readily adaptedto other types of attacks with other (e.g., similar) characteristics(e.g., multiple different flows), for example, portsweep attacks,certain DDoS attacks, etc. Also, the methods are not restricted/limitedto packets that may match packet filtering rules with matching criteriacorresponding to threat indicators associated with CTI or correspondingto particular timeframes (e.g., by comparing in-transit packetobservation time with a known timeframe such as business hours). Forexample, a packet filtering rule that matches on any inbound packetcontaining a TCP SYN flag, for example an unsolicited TCP connectionattempt, may be used to detect packets that may be part of a port scanattack. Conversely, such detectors may be adapted, for example, to trackoutbound TCP SYN packets that may be sourced by an internal host that isthe source of port scan attacks or similar attacks. Such a host may havebeen compromised by malware for a port scan (or similar) attackapplication; therefore, upon detection, the associated networkadministrators may sweep and remove the malware from the host.

There may be multiple different attack detectors operating concurrentlyfor different types of attacks. Moreover, in the exemplary descriptionsabove, CTI-derived packet filtering rules may be used to identifypackets that may be associated with threats and may be components ofthese attacks, but these attack detectors also may be used to detectpotential and/or active attacks being executed by packets that may nothave been identified by CTI-derived packet filtering rules.

The threat context-aware packet filtering of the present disclosure mayalso be used to mitigate some significant operational issues that oftenoccur in practice. As noted above, it may be desirable to be able toperform CTI noise exclusion at in-transit packet observation time. Someexamples of CTI Noise include:

CTI listing an IP address that hosts a plurality of domains, where oneor more of the domains may be desirable (e.g., considerednon-threatening) and one or more others of the domains may beundesirable (e.g., associated with potential or actual threats). Forexample, Content Delivery Network (CDN) providers often host manydomains (e.g., hundreds or thousands) on a single IP address X. If some(small) portion of the domains are determined to be threats by some CTIProvider, then the CTI Provider may include not only the domains intheir published CTI but also the single IP address X hosting the threatdomains (and the legitimate domains). Thus, each domain hosted on the IPaddress X, including the non-threat/legitimate domains, becomesassociated with a threat. An SPMS 150 may include the IP address X in apacket-filtering rule as the matching criteria, and then may include therule in a policy distributed to TIGs 120, such as TIG 120 a protectingnetwork 102. If the rule's disposition is “block”, then it is likelythat many legitimate business communications between network 102 and theCDN will be blocked, i.e., there may be many false positives. If therule's disposition is “allow” and one of the directives is “log” (as analert for a possible threat), then it is likely that many false alertswill be generated. In either case, the IP address X may be considered“CTI noise”;

CTI listing a domain that is popular, such as a social media platform.For another example, often the most popular domains on the Internet (forexample, as measured by the rate of DNS resolution requests) are listedin CTIPs' CTI feeds. This may occur because, for example, popular socialmedia platforms are often used as attack vectors by malicious actors,resulting in URI threat indicators. Similar to the CDN example above, aCTIP may publish as CTI not only a URI but also the associated domainname, which will result in many false positives and false alerts. Suchdomain names may be considered “CTI noise”. A domain may be consideredpopular enough to constitute CTI noise if, for example, the domain isincluded in a list of popular domains, and/or if the domain isdetermined to have a popularity score that exceeds a thresholdpopularity score;

CTI associated with a particular location, a particular network, and/ora particular administrative context. As yet another example of CTI noisethat may be localized or otherwise specific to a particular network,i.e., the location and/or administrative context may be factored intonetwork protection decisions: An enterprise may begin protecting itsnetworks with one or more TIGs 120 and associated CTI-based policies butmay immediately discover that the CTI and associated packet filteringrules include threat indicators that identify some portion or sometimesall of the enterprise's hosts as threats. If the disposition of thepacket filtering rules is “block”, then the affected enterprise hostsmay be unable to conduct legitimate communications with Internet hosts.This particular CTI noise problem, which is referred to herein as the“autoimmunity problem” in analogy to biological autoimmunity issues suchas when a biological organism's immune system may fail to recognize selfand thus may attack self, may arise in practice because of the followingexemplary scenario: Often, an enterprise network 102's public/WAN IPaddresses, which may be assigned to a network boundary interfacing theenterprise network with the Internet 110, may be identified as threatindicators by CTI Providers because, for example, internal enterprisehosts may have been infected with malware or are otherwisecontrolled/compromised by malicious actors and may be participating inmalicious activity over the Internet. Such activity may be detected by aCTIP 140, the CTIP 140 may identify the IP addresses and/or associatedsubnet address range of the compromised hosts as threat indicators, theindicators may be published in a CTI feed, the CTI feed may be ingestedby an SPMS 150, the SPMS may transform the indicators into packetfiltering rules with “block” dispositions, and the packet filteringrules may be included in a policy distributed to TIGs 120, including theTIG 120 a protecting network 102. Then, legitimate communicationsbetween internal enterprise hosts connected to network 102 and Internethosts may be blocked, which the enterprise may consider to be highlyundesirable behavior.

For the above examples of CTI noise and autoimmunity, it is oftendifficult, impractical, or impossible to exclude/filter out the CTInoise at the CTIP(s) 140 and/or the SPMS(s) 150, because of, forexample, the volume, dynamics, automation, lack of visibility and/oraccess, contextual differences particular to each subscriber, etc.,associated with the generation/creation of CTI and CTI noise.Furthermore, CTI noise may be contextual, for example, one subscriber(e.g., an enterprise associated with a particular TIG 120 and/or aparticular network such as TIG 120 a and/or network 102) may consider aset of indicators to be noise (and not necessarily threats) whereasanother subscriber (e.g., another enterprise associated with a differentparticular TIG 120 and/or a particular network such as TIG 120 b and/ornetwork 104) may consider the same set of indicators to be threats; or,for example, at one time an enterprise may consider a set of indicatorsto be threats, but later (e.g., when a TIG 120 observes an in-transitpacket associated with that set of indicators) may consider the same setof indicators to be noise (and non-threatening).

The technology and methods of the present disclosure may be used tosolve the CTI noise problem and autoimmunity subproblem. A generalapproach may be to identify CTI noise as threat context information tobe determined at the TIG 120 in response to an in-transit packet, andinclude the threat context information in the TIG's 120 subsequentcomputation of dispositions and directives. Each TIG 120 may beconfigured with the local public/WAN IP addresses of the associatednetwork boundary as threat context information, as well as with otherindicators that are considered to be CTI noise by the administrators ofeach TIG 120. For example, TIG 120 a may be configured with one or morelocal public/WAN IP addresses of the network boundary for network 102,and TIG 120 b may be configured with one or more local public/WAN IPaddresses of the network boundary for network 104. For example, thelocal public/WAN IP addresses and/or other indicators (e.g., IPaddresses, domain names, URIs, and/or etc.) identified as CTI noise maybe inserted in an efficient set data structure such as a Bloom filter,which may be efficiently tested (in response to observing an in-transitpacket satisfying the rule) for element membership by the TIG 120 logicwhen the logic is processing a rule and matching packet. The threatindicator rules of the associated policy for any indicator identified asCTI noise may be configured with “protect” dispositions instead of“block” dispositions (or with some other disposition other than “allow”and “block”; or with no disposition at all such as a null disposition;or having any or no disposition and being associated with informationsuch as a flag that the TIG 120 interprets as an instruction to usethreat context information at in-transit packet observation time todetermine a disposition). Then, for example, when such a rule (e.g., a“protect” rule) is matched by a packet, the matching threat indicatormay be tested for membership in the efficient set data structure, andthe membership test result (i.e., TRUE/is-a-member orFALSE/is-not-a-member) may be used as input into the computation of thedisposition and directives. For example, a TRUE result may cause the TIG120 logic to compute an “allow” disposition and the “log” and “continue”directives, whereas a FALSE result may cause the TIG 120 logic tocompute a “block” disposition and the “log” and “quick” directives.

In further examples, the TIG 120 logic may be configured to factor inCTI noise and/or autoimmunity (e.g., always) regardless of an applicablerule's disposition. For example, the TIG 120 logic may be configured toalways factor in CTI noise and/or autoimmunity when a “block” rule ismatched by a packet, and may compute and apply a disposition anddirective(s) accordingly. In effect, the semantics of a “block”disposition of a rule may change to, e.g., “block this packet except ifthe matching indicator is in the set of indicators associated with CTInoise and/or autoimmunity”. Such a TIG 120 logic configuration may beuseful, for example, when an associated SPMS may not provide forconstruction of rules with the “protect” disposition but protectionsfrom CTI noise and/or autoimmunity is a requirement. More generally, insome scenarios, it may be useful to have TIG 120 logic that factors inany threat context information, and not just CTI noise, when applyingany rules, such as rules with “block” and/or “allow” dispositions. Forexample, the TIG 120 logic may not depend on a “protect” disposition ofa rule to use threat context information to compute dispositions anddirectives. While various examples described herein use the “protect”disposition as a precursor to using threat context information andassociated logic, TIG 120 may rely on any threat context information(including but not limited to CTI noise indicators) when applying anyrules with any dispositions such as but not limited to “block” or“allow” dispositions. Thus, any examples described herein of usingthreat context information when applying a “protect” disposition rulemay be likewise implemented when applying any other disposition of arule, which may be substituted accordingly in these examples forre-computing or otherwise determining the rule's ultimate dispositionand/or directive.

Referring to FIG. 1, when a packet originating from a host connected tonetwork 102 matches a “protect” rule applied by the TIG 120 a protectingnetwork 102 (or, as mentioned just above, any other rule as desired),the associated TIG 120 a logic may test if the matching indicatorcorresponds to the (local) CTI noise and/or autoimmunity threat contextinformation (consisting of the local public/WAN IP addresses andpossibly other CTI noise indicators) contained in the set data structurefilter to determine that the computed disposition may be “allow” and apolicy-processing directive may be “continue”. Whereas, for a differentnetwork 104 with local public/WAN IP addresses that are not in CTI, andfor packets comprising communications with hosts connected to network102 that are filtered by the TIG 120 b associated with network 104, theassociated TIG 120 b logic may determine the computed disposition to be“block” and the policy-processing directive to be “quick”. Thus, network102 and TIG 120 a may allow legitimate communications between internalhosts and Internet hosts, but network 104 and TIG 120 b may blockmalicious communications with the threat hosts connected to network 102.

FIG. 4 shows a flowchart for an exemplary process that solves theautoimmunity problem and the more general CTI noise problem, i.e.,performs CTI noise exclusion, at in-transit packet observation/filteringtime using threat context information and associated methods of thepresent disclosure. FIG. 4 tracks the process for a TIG 120 such as TIG120 a protecting, for example, a (private) enterprise network 102. FIG.4 also shows an example process for an SPMS 150 that may be providingpolicies and/or sets of packet filtering rules to the TIG 120 a. Notethat FIG. 4 may similarly apply to TIG 120 b protecting network 104, andTIG 120 c protecting network 108.

In Step 4-1, the (private) enterprise network 102's public/WAN IPaddresses assigned to the network boundary with the Internet 110 (orother public network) are identified and configured as threat contextinformation into the local TIG 120 a protecting network 102 at theboundary. For example, the public/WAN IP addresses, as well as other CTInoise indicators (which may be, e.g., IP addresses, domain names, URIs,and/or etc.), may be inserted into a data set named CTI-NOISE, which maybe an efficient set data structure, such as a Bloom filter, managed bythe TIG 120 a. The public/WAN IP addresses are typically assigned to theenterprise by its Internet Service Provider (ISP). Often, ISPs allocateIP addresses to subscribers as subnet addresses, which are blocks ofcontiguous IP addresses. For example, the (IPv4) subnet address11.11.11.00/24, which may be assigned to the boundary of network 102,represents the block of 256 contiguous IP addresses ranging from11.11.11.00 to 11.11.11.255. And often, enterprise networks areprotected by network firewalls (not shown) located at the boundary thatprovide multiple functions including Network Address Translation (NAT).The NAT function may be embodied in a NAT gateway, or interface, devicethat translates between the private IP address space of the privatenetwork 102 and the public IP addresses assigned to network boundary.This way, internal hosts, which have private IP addresses assigned tothem, may communicate with Internet hosts because the NAT will(temporarily) assign a public IP address to the internal host duringInternet communications, which may be required for the communications'packets to route through the Internet. From the perspective of CTI andassociated network protections systems, however, the NAT function mayexacerbate the autoimmunity problem because, for example, a singlecompromised internal host may perform multiple (threat) communicationsthat may be translated (by the NAT) into multiple different public IPaddresses. A CTIP 140 may detect these multiple communications frommultiple different IP addresses and may determine that an associatedsubnet address prefix, for example 11.11.11.00/24, is the threatindicator, and then publish the indicator/subnet address prefix in a CTIfeed. In effect, this means that any Internet communication by anyinternal host may be perceived as a threat by subscribers to policiescontaining rules generated from the CTI feed—including the TIG 120 aprotecting the network 102.

In Step 4-2, an SPMS 150 may receive a CTI feed from a CTIP 140 thatincludes the public/WAN IP addresses of network 102 and identifies themas threat indicators. The CTI also identifies an IP address 66.66.66.66(for example) associated with a host connected to network 132.

In Step 4-3, the rules and policy generation component of SPMS 150creates one or more packet filtering rules with a “protect” dispositionand with matching criteria corresponding to the public/WAN IP addresses(i.e., 11.11.11.00 through 11.11.11.255) of network 102 (which arethreat indicators). For example, a rule R0 “protect 11.11.11.00/24” maybe created. This rule R0 and other rules may be included in a policythat is distributed to subscribers, including TIG 120 a protectingnetwork 102. Alternatively, if TIGs 120 include logic to automaticallycheck local set data structures for CTI noise indicators when a “block”rule is matched, then SPMS may create packet filtering rules with a“block” disposition and with matching criteria corresponding to thepublic/WAN IP addresses of network 102. Also, a rule R1 “block log quick66.66.66.66” is created that succeeds rule R0 in the policy, i.e., asearch through the policy may encounter rule R0 before encountering ruleR1.

In Step 4-4, TIG 120 a (protecting network 102) receives the policydistributed by SPMS 150 in Step 4-3. TIG 120 a enforces the policy onin-transit packets crossing the boundary between network 102 and theInternet 110.

In Step 4-5, TIG 120 a receives a packet P1 originated by an (internal)host A connected to network 102 with public IP address 11.11.11.01 (forexample; assigned by, for example, a NAT located at the boundary ofnetwork 102 with the Internet 110) that is destined for a host Bconnected to network 104 and with a public IP address, for example, of44.44.44.21. Thus, the packet P1's IP header incudes a source IP addressvalue of 11.11.11.01 and a destination IP address value of 44.44.44.21.The IP address 44.44.44.21 of the (destination) host B is not in CTI;therefore, host B is not considered to be a threat and does notcorrespond with the matching criteria of any packet filtering rule inthe policy being enforced by TIG 120 a.

In Step 4-6, TIG 120 a applies the current policy to packet P1 todetermine whether a rule matches packet P1. In this example, TIG 120 aapplies the current policy to packet P1 and matches the rule R0(“protect 11.11.11.00/24”), because P1's source IP address value is11.11.11.01. The “protect” disposition signals TIG 120 a to compute adisposition and/or directive(s) for P1 using at least threat contextinformation, which includes the CTI noise indicators included in theCTI-NOISE indicator set data structure (e.g., a Bloom filter). Thus, TIG120 a may use threat context information to determine (e.g., compute)the disposition and/or one or more directives for P1, based on itsdetermination that rule R0 is assigned the “protect” disposition. TIG120 a tests the set data structure for membership of the element11.11.11.01, which is TRUE (because 11.11.11.01 was inserted into theCTI-NOISE set data structure in Step 4-1). The TRUE result may cause theTIG 120 a logic to determine (a) the disposition to be “allow” forpacket P1, and (b) the directives to be “log” and “continue” so that,for example, the autoimmunity instance may be alerted to administrators,and the packet P1 may continue to be filtered by rules in the policy.Because of the “continue” directive, TIG 120 a continues to filter P1through the remainder of the policy. No other matching rules are found(which may be because host B's IP address 44.44.44.21 is not in CTI);thus, P1's disposition is still “allow” and therefore TIG 120 a appliesthe computed disposition and/or directive, and thus in this exampleforwards/allows P1 to transit toward its destination (i.e., the IPaddress 44.44.44.21). If rule R0 had instead been “allow 11.11.11.00/24”or “block 11.11.11.00/24,” then the predetermined indicated “allow” or“block” disposition (respectively) may have instead been applied topacket P1 without the need for determining threat context information.Thus, TIG 120 a may decide whether or not to determine threat contextinformation for an observed in-transit packet, based upon a dispositionindicated by a rule associated with (e.g., matching) that packet.

In Step 4-7, TIG 120 a receives a packet P2 originated by a host Aconnected to network 102 with public IP address 11.11.11.01 that isdestined for a host D connected to network 132 and with a public IPaddress, for example, of 66.66.66.66. Thus, the packet P2's IP headerincudes a source IP address value of 11.11.11.01 and a destination IPaddress value of 66.66.66.66. As noted in Step 4-1, the IP address66.66.66.66 of the (destination) host D is in CTI; therefore, host D isconsidered to be a threat and corresponds with the matching criteria ofpacket filtering rule R1 in the policy being enforced by TIG 120 a.

In Step 4-8, TIG 120 a applies the current policy to packet P2 andmatches the rule R0 (“protect 11.11.11.00/24”), because P2's source IPaddress value is 11.11.11.01. The “protect” disposition signals TIG 120a to compute a disposition and directives for P2 from threat contextinformation, which includes the CTI noise indicators included in theCTI-NOISE indicator set data structure. TIG 120 a tests the set datastructure for membership of the element 11.11.11.01, which is TRUE(because 11.11.11.01 was inserted into the set data structure CTI-NOISEin Step 4-1). The TRUE result may cause the TIG 120 a logic to determine(a) the disposition to be “allow” for packet P2, and (b) the directivesto be “log” and “continue” so that, for example, the autoimmunityinstance may be alerted to administrators, and the packet P2 maycontinue to be filtered by rules in the policy. Because of the“continue” directive, TIG 120 a continues to filter P2 through theremainder of the policy. P2 matches rule R1, which is “block log quick66.66.66.66”. Accordingly, the policy search halts because of the“quick” directive, the packet P2 is logged because of the “log”directive, and the packet P2 is dropped because of the “block”disposition. Thus, network 102 may be protected from certain externalthreats.

With respect to threat context information used to determine a packet'sdisposition and directives, the methods described above in associationwith FIG. 3 and FIG. 4 may be characterized as “local”. This is becausethe threat context information in these examples is derived from boththe current in-transit packet being processed by a TIG 120 as well aslocal environmental information that is determined by (e.g., availableto and/or computed by) the TIG 120 after the in-transit packet isreceived by the TIG 120. Network protection may be further improved,however, if global threat context information, for example global threatsituation and awareness information on threats/attacks that may beactively occurring and/or may have recently occurred on other networksbesides the network being protected by the (local) TIG, may be used bythe local TIG 120 to determine a packet's disposition and directives.This global threat context information may be particularly useful forattacks in which a malicious actor may be attacking multiple differentnetworks as part of a single campaign. Such global threat contextinformation may be collected and distributed by, for example, what isreferred to herein as a Global Threat Context System/Service composed ofone or more Global Threat Context Servers (GTCS(s)) 170 (see FIG. 1).The TIGs 120 may not only provide/push their own global threat contextinformation to GTCS(s) 170 but also receive/pull other TIGs' globalthreat context information from GTCS(s) 170.

For example, referring to FIG. 5 and Step 5-1, consider a TIG 120, suchas TIG 120 a in Step 3-4 of FIG. 3, that may determine that a potentialattack, for example a potential port scan attack, has transitioned to anactive attack. For example, the host with IP address 22.22.22.22associated with network 130 may be port scanning the network 102 that isprotected by TIG 120 a. At some point during the attack, the TIG 120 amay determine that an active port scan attack is occurring againstnetwork 102, for example as in Step 3-5T of FIG. 3 above.

In Step 5-2, the TIG 120, for example TIG 120 a, may provide a GTCS 170with characteristic information on the attack, which may include, forexample, the key (e.g., the IP address 22.22.22.22 or subnet addressrange 22.22.22.00/24 of the host(s) sourcing the attack), the type ofattack (e.g., port scan attack), the start time of the attack (e.g., 3AM), the network being attacked (e.g., identified by the subnet addressprefix 11.11.11.00/24 of network 102), the disposition and/or directivesapplied to the packets, the matching rule or rules and associatedmetadata, and/or the like. TIG 120 a may provide the information to GTCS170, for example, on a periodic basis and/or in response to an eventoccurring such as a certain number of packets being observed that matcha particular rule or a particular key, or in response to detecting theattack.

In Step 5-3, the GTCS 170 may receive the active attack information fromTIG 120 a, store the attack (such as in a database and associatedservice for managing active attacks information), associate a (globallyunique) identifier/ID with the attack, and publish the characteristicinformation and identifier to GTCS subscribers such as TIG 120 a, TIG120 b, other TIGs 120 for other networks, and/or other devices andsystems (further examples of these subscribers are discussed below).

In Step 5-4, a TIG 120 that subscribes to the GTCS 170 and that is adifferent TIG protecting a different network than the TIG described inStep 5-2, for example the TIG 120 b protecting network 104 with subnetaddress range 44.44.44.00/24, may receive from the GTCS 170 the (global)threat context information about the active port scan attack that wasdetected and provided by TIG 120 a (in Step 5-2). The TIG 120 b maycreate a new active attack element from the information and insert theelement into the (local, efficient) set data structure formanaging/tracking potential port scan attacks. This new element may beconfigured such that an Is-Active-Attack(key) function that may beassociated with the set data structure returns TRUE when the keyparameter value corresponds to the key for the new element.

In Step 5-5, the host 22.22.22.22 begins to attack network 104, which isprotected by TIG 120 b, by sending a first TCP SYN packet to a public IPaddress and port of network 104.

In Step 5-6, the TIG 120 b protecting network 104 receives a (e.g., thefirst) TCP SYN packet sent by the host 22.22.22.22. TIG 120 b may applya policy to the packet and may match the packet to a “protect” rule thatmay have a CTI-derived threat indicator corresponding to IP address22.22.22.22 as the matching criteria, and/or may have matching criteriacorresponding to inbound TCP SYN packets. In either case, in response todetermining that the matching rule has a “protect” disposition, the TIG120 b logic may call the procedureCompute-Disposition-and-Directives(key), with the “key” indicated forthat procedure being the host address 22.22.22.22 or the associatedsubnet address prefix, for example, 22.22.22.00/24. Because of theconfigurations performed in Step 5-4 that resulted from the globalthreat context information about IP address 22.22.22.22, the computeddisposition for this first TCP SYN packet may be “block”. Note thatwithout the global threat context information and associated actions,the computed disposition for this first TCP SYN packet may have been“allow”.

In Step 5-7, which is similar to Step 5-2 except for a different TIGprotecting a different network, another TIG such as TIG 120 b mayprovide a GTCS 170 with (additional) characteristic information on theattack, which may include, for example, the key (e.g., the IP address22.22.22.22 or subnet address prefix 22.22.22.00/24 of the host(s)sourcing the attack), the type of attack (e.g., port scan attack), thestart time of the attack (e.g., soon after 3 AM), the network beingattacked (e.g., identified by the subnet address prefix 44.44.44.00/24of network 104), the attack identifier (which may have been suppliedearlier by the GTCS 170), and/or the like. TIG 120 b may provide theinformation to GTCS 170, for example, on a periodic basis and/or inresponse to an event occurring such a certain number of packets beingobserved that match a particular rule or a particular key, or inresponse to detecting the attack.

In Step 5-8, the GTCS 170 may receive the active attack information fromTIG 120 b, store and/or update the attack in its above-mentioneddatabase and associated service for managing active attacks information,and publish the (updated) characteristic information to the GTCSsubscribers. The updated characteristic information is then availablefor use by any of the TIGs 120 in subsequent iterations of Step 5-4 forsubsequent observed packets by any of the TIGs 120.

In addition to TIGs 120 that are protecting networks, GTCS 170subscribers may include, for example, (global) network threatsituational awareness systems, CTI Providers, Internet Service Providers(ISPs), Managed Security Service Providers (MSSPs), NetworkSecurity-as-a-Service (NSaaS) providers, and the like. Furthermore, theinformation collected and distributed by the GTCS(s) 170 may beassociated with many different types of attacks (and not necessarilylimited to only the port scan attack example described above).Accordingly, TIG logic (or any other GTCS subscriber) may use the globalthreat context information associated with many different attacks toprotect networks from these many different attacks.

As described above/elsewhere in this document, there are many potentialsources and types of threat context information, as well as manypossible combinations thereof, that may be used to determine anin-transit packet's disposition and directives. Furthermore, thecharacteristics of the cyberthreat and corresponding threat contextchange/evolve over time. As the number of sources and combinations ofthreat context information increases and the characteristics of thethreat and the associated threat context change/evolve, it may beimpractical for humans to design and manually program the associated TIG120 logic to efficiently use threat context information. In suchscenarios, machine learning may be used as an alternative and/oraugmentative approach to creating and evolving at least a portion of theTIG 120 logic. For example, a machine-learned artificial neural network(ANN) may be created that has input nodes that correspond to multipledifferent sources/types of threat context information associated withthe in-transit packet being filtered by a TIG 120, and that has outputnodes that correspond to the disposition and the directives that may beapplied to the packet. The ANN may be constructed in such a way, forexample as a bounded-depth classifier, that the resultant logic forcomputing the disposition and directives may be highly efficient (forexample, may have constant-time complexity). Furthermore, an ANN may bereadily adapted to new and/or different threat context information andto new and/or different dispositions and directives by, for example,adding and/or modifying input nodes and output nodes.

FIG. 6 shows an exemplary ANN 600 that may embody machine-learned logicof a TIG 120 for computing an observed in-transit packet'sdisposition(s) and directive(s) based at least in part on threat contextinformation associated with the in-transit packet. As shown, the ANN 500may have a plurality of layers of nodes. For example, ANN 500 may havefour (4) layers of nodes, including a first layer of N input nodes 610-1through 610-N that may correspond to a plurality of (N) threat contextinformation (TCI) sources and/or types, and a fourth layer of aplurality of (M) output nodes 640-1 through 640-M that may correspond toa plurality of dispositions and/or directives. M may be greater than,equal to, or less than N. The second (620-1 through 620-X) and third(630-1 through 630-Y) layers of nodes correspond to embedded or “hidden”layers. While two hidden layers are shown in this example, ANN 500 mayhave any number of hidden layers. Persons skilled in the art understandthe general principles of artificial neural networks. As shown in FIG.6, the output of each node in a layer of ANN 600 may be connected to theinput of two or more nodes (e.g., each node) in the subsequent layer,i.e., each layer of nodes may be connected (e.g., fully connected) tothe subsequent layer of nodes. Each connection between nodes may beweighted and directed such that the input to a node at a given layer(except possibly the first layer) may be a weighted sum of the outputsof two or more nodes (or every node) in the previous layer. Except forpossibly nodes in the first layer, the output of each node may be theresult of applying an activation function (which may be a non-linearfunction) to the node's input, such as a sigmoid function or a rectifiedlinear unit (ReLU) function. The output of a node may be constrained toa value within a certain range of values, such as between 0 and 1(inclusive). In the context of the present disclosure, the input valuesof the first-layer nodes may be computed efficiently and/or accessedefficiently, and the computations performed by nodes in the other layersalso may be computed efficiently such that disposition(s) and/ordirective(s) for the current in-transit packet may be efficientlydetermined by the ANN 600 and efficiently applied to the in-transitpacket by the TIG 120 logic.

In FIG. 6, each (input) node in the first layer corresponds to a sourceand/or type of threat context information (TCI) that may be associatedwith an in-transit packet that is being filtered/observed by a TIG 120.For example, TCI-1 may comprise a value generated by a functionassociated with (e.g., producing the value based on) the observationtime of the in-transit packet; TCI-2 may comprise a value generated by afunction, where the value indicates whether the in-transit packet is acomponent of an active attack; TC-3 may comprise a value generated by afunction associated with (e.g., producing the value based on) threatcontext information associated with the packet filtering rule thatmatched the in-transit packet; etc. The inputs to the nodes in the firstlayer, i.e., the values of TCI-1 through TCI-N, may be constrained to bebinary valued, e.g., either 1 (TRUE) or 0 (FALSE), or may be constrainedin another way such as to be in the range [0,1]. For example, andreferring to threat context information and additional informationexamples described above, some exemplary threat context informationand/or additional information that may be, or that may be used as abasis to generate, inputs to the first layer of nodes may include anyone or more of the following:

Normal-Business-Hours(current-time( ): One or more inputs (such as oneor more binary-valued inputs), which may be the output of a Booleanfunction that may efficiently determine if the current time/observationtime of the in-transit packet occurs during a certain predeterminedtimeframe (e.g., the normal business operating hours of the organizationthat administrates the associated TIG 120 and protected network). Notethat a similar exemplary function is described above in association withFIG. 3;

Is-Active-Attack( ) One or more inputs (such as one or morebinary-valued inputs), which may be the output of a Boolean functionthat may efficiently determine whether the in-transit packet is part ofan active attack on the network. A similar exemplary function isdescribed above in association with FIG. 3. There may be other similarbinary-valued input functions and input nodes associated with attacktypes, for example, a node for port-scan-attack, a node forport-sweep-attack, a node for exfiltration attack, one or more nodes forone or more DDoS attack types, etc.;

Threat-Indicator-Type-X: One or more inputs (such as one or morebinary-valued inputs) indicating the type of threat indicator used asthe matching criteria of the packet filtering rule that matched thein-transit packet. For example, threat indicator types may include IPaddress, subnet address range, 5-tuple, domain name, URI, etc., andassociated input nodes may be labeled Threat-Indicator-Type-IP,Threat-Indicator-Type-Subnet-Address-Range,Threat-Indicator-Type-5-tuple, Threat-Indicator-Type-Domain-Name,Threat-Indicator-Type-URI, etc.;

Domain-Popularity: One or more inputs (such as one or more [0,1]-valuedinputs) indicating the popularity of the domain name (if any) containedin the in-transit packet. Domain popularity data, which may be highlydynamic, is readily available from multiple services/providers and maybe stored locally in efficient data structures for fast access. Ingeneral, domains with low popularity values are often associated withmore threat risk than domains with high popularity values;

Domain Name and URI Characteristics: One or more inputs, such as (one ormore binary-valued and/or [0,1]-valued inputs) associated withcharacteristics, for example syntactic or lexical characteristics, ofthe domain name and/or URI (if any) contained in the in-transit packet,which may be associated with threat risk. Syntactic or lexicalcharacteristics may include, for example: string length, number oflabels, number of numerical characters, number of URL-encodedcharacters, correlation with words from human-spoken languages,information entropy measures, top-level-domains (TLDs), etc.;

Direction (Inbound or Outbound): One or more inputs (which may bebinary-valued) indicating whether the in-transit packet and/or thein-transit packet's associated flow may be inbound or outbound;

Connection-State: One or more inputs (such as one or more binary-valuedinputs) indicating whether a TCP connection has been established for theflow associated with the in-transit packet;

Secondary Analysis Alerts: One or more inputs (such as one or morebinary-valued inputs) indicating any results/outputs of threat/attackanalyses of the flow associated with the packet, for example, whetherthe associated flow matched one or more signatures applied by anIDS/IPS, and/or an NBA system, etc. The analysis results may alsoinclude associated threat/attack information, such as attack types, thatmay also correspond to input nodes;

Global Threat Context Information: One or more inputs (such as one ormore binary-valued inputs) that indicate any associations of thein-transit packet with global threat context information, such as activeattacks on networks other than the local network being protected, thetype of attack, etc. Exemplary global threat context information isdescribed above in association with FIG. 5;

and/or the like. There may be additional inputs to the ANN 600 that maynot be considered threat context information but are included as inputsin order to, for example, improve the performance of the ANN 600 by, forexample, reducing false positives and/or false negatives and/oruncertain outputs/results. Such information may include, for example,CTI-Provider-X: One or more inputs (such as one or more binary-valuedinputs) indicating whether a particular CTI Provider supplied the CTIthreat indicator that may be used as the matching criteria of the packetfiltering rule that matched the in-transit packet. CTI Providerinformation may be included in the matching rule's metadata andefficiently extracted/accessed at the time that the rule is matched bythe in-transit packet. For each of the CTI Providers, there may be onesuch input node for ANN 600, and each such input node may be labeledaccordingly as, e.g., CTI-Provider-1, CTI-Provider-2, . . .CTI-Provider-J. Similarly, there may be input nodes for CTI feedname/identifier, attack type associated with the CTI feed, recommendeddisposition associated with the feed (for example, supplied by the CTIProvider), confidence associated with the feed, and/or etc., where anyof such information may also be included in the matching rule'smetadata.

The output nodes 640-1 through 640-M may correspond to the computeddisposition(s) and/or directive(s) that may be applied to the in-transitpacket. For example, one output node may correspond to the “block”disposition, another output node may correspond to the “allow”disposition, another output node may correspond to the “log” directive,another output node may correspond to the “capture” directive, anotheroutput node may correspond to the “spoof-tcp-rst” directive, anotheroutput node may correspond to the “quick” directive for policyprocessing, etc. The output values may be constrained and/or trained tobe in a particular range, such as in the range [0,1]. Accordingly, theoutput value for a given output node 640 may be considered a probabilityor likelihood of the corresponding disposition or directive being a goodchoice for protecting the associated network.

ANNs as the ANN 600 of FIG. 6 may use supervised learning methods andbackpropagation for the training/learning algorithm. A training data setfor the ANN 600 may be composed of many examples of {{input values},{output values}} pairs, where the set {input values} may correspond tothe threat context information input values (for example, 1^(st)-layernode input values TCI-1 through TCI-N) associated with a trainingexample packet, and the {output values} may correspond to the desireddisposition and directives for the training example packet. Duringtraining, the {input values} may be input into the first layer of theANN 600, and the actual output values (for example, the outputs of 640-1through 640-M) may be compared to the desired {output values}. Thedifferences between the desired {output values} and the actual outputvalues may be used by a backpropagation algorithm to modify the weightsof the connections between the nodes such that the differences may beless the next time the {input values} are input. Training and associatedbackpropagation may continue until convergence is obtained, i.e., thecumulative differences between desired {output values} and actual outputvalues over the training data set may be acceptably small andaccordingly the changes to weights during backpropagation may beacceptably small.

Upon completion of training, backpropagation/learning may be switchedoff, and the resultant ANN 600 may be referred to as a classifier ormodel. The ANN 600 classifier logic may be integrated with otherportions of a TIG 120's logic, such as application logic, for computingdisposition and/or directives for in-transit packets that match packetfiltering rules (derived from CTI). For example, the ANN 600 classifierlogic may be integrated into Step 3-3 and Step 3-4 of FIG. 3, and intoStep 2-7 of FIG. 2. In practice, the ANN 600 classifier logic may becombined with other logic such as human-designed, manually programmedlogic in order to, for example, implement default behavior, and/orhandle false positives and false negatives produced by the ANN 600classifier, and/or handle uncertain results produced by the ANN 600classifier, and/or handle deficiencies in the training data and/orassociated model, and the like. For example, when the “block”disposition output node's value is at or close to 1, then it may bedesirable that the “allow” disposition output node's value should be ator close to 0, and vice versa. It may be the case, however, that bothvalues are close to 1, or close to 0, or otherwise the values areindeterminate as to the selection of the “block” or “allow” disposition,in which case the manually programmed logic may be used to determine thedisposition. For another example, the “allow” disposition output node'svalue may be at or close to 1 (and the “block” node's value close to 0)but the “spoof-tcp-rst” directive output node's value may also be closeto 1, in which case manually programmed logic may intervene toallow/forward the associated packet but not send a TCP RST packet to thesource of the packet. Otherwise, sending a TCP RST packet to the sourcemay cause the associated TCP connection to be torn down, which may be ahighly undesirable action.

Note that in addition to artificial neural networks (ANNs), othermachine learning algorithms and methodologies may be used to design thedecision logic, for example, evolutionary algorithms, geneticalgorithms, genetic programming, and the like. The choice of an ANN inFIG. 6 is exemplary and not meant to exclude other machine learningapproaches.

Any of the elements described herein or illustrated in any of thefigures, such as any of TIGs 120, and such as any of elements 130, 132,138, 140, 150, 160, and 170, may be partially or fully implemented usingone or more computing devices such as computing device 700 shown in FIG.7. Computing device 700 may be, for example, a general-purpose computingdevice with general-purpose hardware that is configured to perform oneor more specific functions using specific software and/or firmware, orit may be, for example, a specific-purpose computing device withpurpose-specific hardware (and/or purpose-specific software and/orpurpose-specific firmware) customized for specific functionality. Any ofthe hardware elements of computing device 700, and/or the computingdevice 700 itself, may be emulated in a virtual version of computingdevice 700. Computing device 700 may include one or more processors 701that may execute computer-readable instructions of a computer program toperform any of the functions or other operations described herein. Theinstructions, along with other data, may be stored in storage 702, whichmay include, for example, memory such as read-only memory (ROM) and/orrandom access memory (RAM), a hard drive, a magnetic or optical disk, aUniversal Serial Bus (USB) drive, and/or any other type ofcomputer-readable media. The data may be organized in any way desired,such as being organized so as to be accessible via database softwarestored as instructions in storage 702 and executed by the one or moreprocessors 701. Computing device 700 may also include a user interface704 for interfacing with one or more input devices 705 such as akeyboard, mouse, voice input, etc., and for interfacing with one or moreoutput devices 706 such as a display, speaker, printer, etc. Computingdevice 700 may also include a network interface 703 for interfacing withone or more external devices that may be part of a network external tocomputing device 700. Although FIG. 7 shows an example hardwareconfiguration, one or more of the elements of computing device 700 maybe implemented as software or a combination of hardware and software.Modifications may be made to add, remove, combine, divide, etc.components of computing device 700. Additionally, the elements shown inFIG. 7 may be implemented using basic computing devices and componentsthat have been configured to perform operations such as are describedherein. Processor(s) 701 and/or storage 702 may also or alternatively beimplemented through one or more Integrated Circuits (ICs). An IC may be,for example, a microprocessor that accesses programming instructions orother data stored in a ROM and/or hardwired into the IC. For example, anIC may comprise an Application Specific Integrated Circuit (ASIC) havinggates and/or other logic dedicated to the calculations and otheroperations described herein. An IC may perform some operations based onexecution of programming instructions read from ROM or RAM, with otheroperations hardwired into gates or other logic.

As explained above, computing device 700 may be embodied, for example,as a packet-filtering appliance such as a TIG (e.g., any of TIGs 120).FIG. 8 shows an example block diagram of such a packet-filteringappliance 800, which may be located at a boundary 802 of a network suchas network 102 (or, for example, networks 104 or 108). Thus,packet-filtering appliance 800 is one example implementation ofcomputing device 700. Packet filtering appliance 800 may comprise one ormore processors 804 (which may be the same as processor(s) 701), memory806 (which may be the same as storage 702), network interface(s) 808and/or 810 (which may be the same as network interface 703), packetfilter 812 (which may be performed by processor(s) 701), and managementinterface 814 (which may be performed by processor(s) 701, userinterface 704, input device 705, and/or output device 706). Processor(s)804, memory 806, network interfaces 808 and/or 810, packet filter 812,and/or management interface 814 may be interconnected via a data bus 816(which may be the arrows interconnecting any of the various elements inFIG. 7 and FIG. 8). Network interface 810 may connect packet filteringappliance 800 to a first network such as network 102 (or 104 or 108).Similarly, network interface 808 may connect packet-filtering appliance800 to a second network such as network 110. Memory 806 may include oneor more program modules that, when executed by processor(s) 804, mayconfigure packet-filtering appliance 800 to perform one or more ofvarious functions described herein. Memory 806 may also be used to storerules, databases, logs, and/or any other information used by andgenerated by packet-filtering appliance 800.

Packet-filtering appliance 800 may be configured to receive a policy(such as the filtering rules described herein) from one or more securitypolicy management servers (e.g., SPMS(s) 150, shown in FIG. 1). Forexample, packet-filtering appliance 800 may receive a policy 818 from asecurity policy management server via management interface 814 (e.g.,via out-of-band signaling) or network interface 808 (e.g., via in-bandsignaling). Packet-filtering appliance 800 may comprise one or morepacket filters or packet discriminators, and/or logic for implementingone or more packet filters or packet discriminators. For example,packet-filtering appliance 800 may comprise packet filter 812, which maybe configured to examine information associated with packets received bypacket-filtering appliance 800 (e.g., from network 110) and forward suchpackets to one or more of operators 820, 822, and/or 824 (which may beimplemented as hardware and/or as software executed by processor(s) 804)based on the examined information. For example, packet filter 812 mayexamine information associated with packets received by packet-filteringappliance 800 (e.g., packets received from network 110 via networkinterface 808) and forward the packets to one or more of operators 820,822, or 824 based on the examined information. These operators, forexample, may implement the disposition and directives associated withthe packet filtering rule that match a packet.

Policy 818 may include one or more filtering rules, and theconfiguration of packet filter 812 may be based on one or more of therules included in policy 818. For example, policy 818 may include one ormore rules specifying that packets having specified information shouldbe forwarded to operator 820, that packets having different specifiedinformation should be forwarded to operator 822, and that all otherpackets should be forwarded to operator 824. Operators 820, 822, and/or824 may be configured to perform one or more functions on packets theyreceive from packet filter 812. For example, one or more of operators820, 822, and/or 824 may be configured to forward packets received frompacket filter 812 into network 102, which may implement an “allow”disposition, or drop packets received from packet filter 812, which mayimplement a “block” disposition. One or more of operators 820, 822,and/or 824 may be configured to drop packets by sending the packets to alocal “infinite sink” (e.g., the /dev/null device file in a UNIX/LINUXsystem). In some embodiments, one or more of operators 820, 822, and/or824 may be configured to apply directives to the packets, such as the“log”, “capture”, etc., directives described herein.

Also, one or more of operators 820, 822, and/or 824 may be configured toimplement the “protect” disposition described herein, based on one ormore filtering rules set forth in policy 818. For example, if one ormore packets are determined by operator 822 to match or otherwisesatisfy one or more rules that may be configured with a “protect”disposition, then operator 822 may send information to processor(s) 804indicating this (e.g., indicating which rule(s) are satisfied, and/orindicating logging parameters that should be used). In turn,processor(s) 804 may initiate execution of logic that uses variousthreat context information described herein to compute the dispositionand directive(s) that may be applied to the one or more packets.Processor(s) 804 may comprise and/or be supplemented with the ANN 600discussed above with respect to FIG. 6, with the requisite physicaland/or logical inputs to the input layer of nodes 610 and physicaland/or logical outputs from the output layer of nodes 640.

Packet-filtering appliance 800 may obtain threat-context informationfrom a variety of sources (or generate threat context information basedon information retrieved from a variety of sources), some of which maybe local (sources internal to packet-filtering appliance 800) and othersof which may be remote (sources external to packet-filtering appliance800). For example, processor(s) 804 may comprise a clock that maintainscurrent time of day and that may be used to determine in-transit packetobservation time. Referring to other examples of threat-contextinformation described above: appliance location, appliance ID,administrator and associated security policy preferences, network type,active threat type, multi-packet multi-flow threat/attack analysisresults, CTI provider(s) and associated information, threat indicatortype and fidelity, threat indicator age, flow origination, flowdirection, flow state, connection state, global threat context, domainname, URI, URL, domain name popularity, domain name registration status,data transfer protocol methods, protocol risk, contextual CTI noise, andthe like may each be determined by processor(s) 804 for an in-transitpacket and in response to receiving the in-transit packet, based onprocessing of information stored in memory 806, based on computations byprocessor(s) 804, based on information received via network interface808 from network 110, based on information receive via network interface810 via network 102, and/or based on information received via managementinterface 814.

In addition to the other information described above, memory 806 maystore a variety of information used by packet-filtering appliance 800,for example CTI noise information, global threat context informationreceived via network interface 810 from GTCS(s) 170, domain namepopularity information), and/or any other information received fromSOC(s) 160, SPMS(s) 150, and/or CTIP(s) 140.

The functions and steps described herein may be embodied incomputer-usable data or computer-executable instructions, such as in oneor more program modules, executed by one or more computers or otherdevices (e.g., computing device 700, such as packet-filtering appliance800) to perform one or more functions described herein. Generally,program modules include routines, programs, objects, components, datastructures, etc. that perform particular tasks or implement particularabstract data types when executed by one or more processors in acomputer or other data-processing device. The computer-executableinstructions may be stored on a computer-readable medium (e.g., storage702, such as memory 806) such as a magnetic disk, optical disk,removable storage media, solid-state memory, random-access memory (RAM),ready-only memory (ROM), flash memory, etc. As will be appreciated, thefunctionality of the program modules may be combined or distributed asdesired. In addition, the functionality may be embodied in whole or inpart in firmware or hardware equivalents, such as integrated circuits,application-specific integrated circuits (ASICs), field-programmablegate arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope ofcomputer-executable instructions and computer-usable data describedherein.

Although not required, one of ordinary skill in the art will appreciatethat various aspects described herein may be embodied as a method,system, apparatus, or one or more computer-readable media storingcomputer-executable instructions. Accordingly, aspects may take the formof an entirely hardware embodiment, an entirely software embodiment, anentirely firmware embodiment, or an embodiment combining software,hardware, and firmware aspects in any combination.

As described herein, the various methods and acts may be operativeacross one or more computing devices and networks. The functionality maybe distributed in any manner or may be located in a single computingdevice (e.g., a server, client computer, or the like).

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one of ordinary skill in the art willappreciate that the steps illustrated in the illustrative figures may beperformed in other than the recited order and that one or moreillustrated steps may be optional. Any and all features in the followingclaims may be combined or rearranged in any way possible. For anotherexample, one of ordinary skill in the art will appreciate that thereferences to the IPv4 protocol in the specification and descriptions ofillustrative figures may be substituted with references to otherprotocols such as the Internet Protocol version 6 (IPv6) protocol.

The invention claimed is:
 1. A method comprising: receiving, by apacket-filtering appliance configured to process packets in-transittraversing a boundary between a first network and a second network, aplurality of packet-filtering rules each indicating a criterion and anaction to be performed, wherein: the packet-filtering rules weredetermined based on a plurality of threat indicators that weredetermined based on cyber threat intelligence reports of a plurality ofcyber threat intelligence providers, and a first packet-filtering ruleof the plurality of packet-filtering rules indicates a first criterionand that an action is to be determined after an in-transit packetmatching the first packet-filtering rule is received; receiving, by thepacket-filtering appliance from the first network and at a first time, afirst in-transit packet destined to the second network; based ondetermining that the first in-transit packet matches the first criterionof the first packet-filtering rule, the packet-filtering appliance:determining first threat context information associated with thereceiving the first in-transit packet; determining, based on the firstthreat context information, a first action; and applying the firstaction to the first in-transit packet; receiving, by thepacket-filtering appliance from the first network and at a second time,a second in-transit packet destined to the second network; and based ondetermining that the second in-transit packet matches the firstcriterion of the first packet-filtering rule, the packet-filteringappliance: determining second threat context information associated withthe receiving the second in-transit packet, wherein the second threatcontext information has at least one value different from the firstthreat context information; determining, based on the second threatcontext information and independently from the determining the firstaction, a second action; and applying the second action to the secondin-transit packet.
 2. The method of claim 1, wherein the first actioncomprises a first disposition and the second action comprises a seconddisposition that is different from the first disposition.
 3. The methodof claim 1, wherein one of the first action or the second action is toallow the first in-transit packet to proceed to the second network, andthe other of the first action or the second action is to block thesecond in-transit packet from proceeding to the second network.
 4. Themethod of claim 1, wherein the first action comprises a first directiveand the second action comprises a second directive that is differentfrom the first directive.
 5. The method of claim 1, wherein the applyingthe first action to the first in-transit packet is performed before thereceiving the second in-transit packet.
 6. The method of claim 1,wherein the applying the first action to the first in-transit packet iscompleted before the receiving the second in-transit packet.
 7. Themethod of claim 1, wherein the applying the first action to the firstin-transit packet is completed after the receiving the second in-transitpacket and before completing the applying the second action to thesecond in-transit packet.
 8. The method of claim 1, wherein thedetermining the first threat context information comprises determiningthe first threat context information based on an observation time of thefirst in-transit packet.
 9. The method of claim 1, wherein thedetermining the first threat context information comprises determiningthe first threat context information based on whether the firstin-transit packet is a member of an attack that is active at a time thatthe first in-transit packet is received by the packet-filteringappliance.
 10. The method of claim 1, wherein the determining the firstthreat context information comprises determining the first threatcontext information based on whether the first in-transit packet is amember of a multi-packet multi-flow attack that is active at a time thatthe first in-transit packet is received by the packet-filteringappliance.
 11. The method of claim 1, wherein: the first threat contextinformation comprises a first plurality of elements of information andthe second threat context information comprises a second plurality ofelements of information; the packet-filtering appliance comprises anartificial neural network comprising a plurality of input nodes and aplurality of output nodes; the determining the first action comprises:providing the first plurality of elements of information to at leastsome of the plurality of input nodes of the artificial neural network;and receiving, via at least one of the plurality of output nodes of theartificial neural network, an indication of the first action; and thedetermining the second action comprises: providing the second pluralityof elements of information to at least some of the plurality of inputnodes of the artificial neural network; and receiving, via at least oneof the plurality of output nodes of the artificial neural network, anindication of the second action.
 12. A packet-filtering applianceconfigured to process packets in-transit traversing a boundary between afirst network and a second network, the packet-filtering appliancecomprising: one or more processors; and one or more non-transitorycomputer-readable media storing instructions that, when executed by theone or more processors, configure the packet-filtering appliance to:receive a plurality of packet-filtering rules each indicating acriterion and an action to be performed, wherein: the packet-filteringrules were determined based on a plurality of threat indicators thatwere determined based on cyber threat intelligence reports of aplurality of cyber threat intelligence providers, and a firstpacket-filtering rule of the plurality of packet-filtering rulesindicates a first criterion and that an action is to be determined afteran in-transit packet matching the first packet-filtering rule isreceived; receive, from the first network and at a first time, a firstin-transit packet destined to the second network; based on determiningthat the first in-transit packet matches the first criterion of thefirst packet-filtering rule: determine first threat context informationassociated with receiving the first in-transit packet; determine, basedon the first threat context information, a first action; and apply thefirst action to the first in-transit packet; receive, from the firstnetwork and at a second time, a second in-transit packet destined to thesecond network; and based on determining that the second in-transitpacket matches the first criterion of the first packet-filtering rule:determine second threat context information associated with thereceiving the second in-transit packet, wherein the second threatcontext information has at least one value different from the firstthreat context information; determine, based on the second threatcontext information and independently from determining the first action,a second action; and apply the second action to the second in-transitpacket.
 13. The packet-filtering appliance of claim 12, wherein thefirst action comprises a first disposition and the second actioncomprises a second disposition that is different from the firstdisposition.
 14. The packet-filtering appliance of claim 12, wherein oneof the first action or the second action is to allow the firstin-transit packet to proceed to the second network, and the other of thefirst action or the second action is to block the second in-transitpacket from proceeding to the second network.
 15. The packet-filteringappliance of claim 12, wherein the first action comprises a firstdirective and the second action comprises a second directive that isdifferent from the first directive.
 16. The packet-filtering applianceof claim 12, wherein the instructions, when executed by the one or moreprocessors, configure the packet-filtering appliance to apply the firstaction the first in-transit packet before the second in-transit packetis received by the packet-filtering appliance.
 17. The packet-filteringappliance of claim 12, wherein the instructions, when executed by theone or more processors, configure the packet-filtering appliance tocomplete applying the first action to the first in-transit packet beforethe second in-transit packet is received by the packet-filteringappliance.
 18. The packet-filtering appliance of claim 12, wherein theinstructions, when executed by the one or more processors, configure thepacket-filtering appliance to complete applying the first action to thefirst in-transit packet after the second in-transit packet is receivedby the packet-filtering appliance and before completing applying thesecond action to the second in-transit packet.
 19. The packet-filteringappliance of claim 12, wherein the instructions, when executed by theone or more processors, configure the packet-filtering appliance todetermine the first threat context information based on an observationtime of the first in-transit packet.
 20. The packet-filtering applianceof claim 12, wherein the instructions, when executed by the one or moreprocessors, configure the packet-filtering appliance to determine thefirst threat context information based on whether the first in-transitpacket is a member of an attack that is active at a time that the firstin-transit packet is received by the packet-filtering appliance.
 21. Thepacket-filtering appliance of claim 12, wherein the instructions, whenexecuted by the one or more processors, configure the packet-filteringappliance to determine the first threat context information based onwhether the first in-transit packet is a member of a multi-packetmulti-flow attack that is active at a time that the first in-transitpacket is received by the packet-filtering appliance.
 22. Thepacket-filtering appliance of claim 12, wherein: the first threatcontext information comprises a first plurality of elements ofinformation and the second threat context information comprises a secondplurality of elements of information; the packet-filtering appliancecomprises an artificial neural network comprising a plurality of inputnodes and a plurality of output nodes; and the instructions, whenexecuted by the one or more processors, configure the packet-filteringappliance to: determine the first action by: providing the firstplurality of elements of information to at least some of the pluralityof input nodes of the artificial neural network; and receiving, via atleast one of the plurality of output nodes of the artificial neuralnetwork, an indication of the first action; and determine the secondaction by: providing the second plurality of elements of information toat least some of the plurality of input nodes of the artificial neuralnetwork; and receiving, via at least one of the plurality of outputnodes of the artificial neural network, an indication of the secondaction.
 23. One or more non-transitory computer-readable media storinginstructions that, when executed by one or more processors of apacket-filtering appliance configured to process packets in-transittraversing a boundary between a first network and a second network,cause: receiving, by the packet-filtering appliance, a plurality ofpacket-filtering rules each indicating a criterion and an action to beperformed, wherein: the packet-filtering rules were determined based ona plurality of threat indicators that were determined based on cyberthreat intelligence reports of a plurality of cyber threat intelligenceproviders, and a first packet-filtering rule of the plurality ofpacket-filtering rules indicates a first criterion and that an action isto be determined after an in-transit packet matching the firstpacket-filtering rule is received; receiving, by the packet-filteringappliance from the first network and at a first time, a first in-transitpacket destined to the second network; based on determining that thefirst in-transit packet matches the first criterion of the firstpacket-filtering rule, the packet-filtering appliance: determining firstthreat context information associated with the receiving the firstin-transit packet; determining, based on the first threat contextinformation, a first action; and applying the first action to the firstin-transit packet; receiving, by the packet-filtering appliance from thefirst network and at a second time, a second in-transit packet destinedto the second network; and based on determining that the secondin-transit packet matches the first criterion of the firstpacket-filtering rule, the packet-filtering appliance: determiningsecond threat context information associated with the receiving thesecond in-transit packet, wherein the second threat context informationhas at least one value different from the first threat contextinformation; determining, based on the second threat context informationand independently from the determining the first action, a secondaction; and applying the second action to the second in-transit packet.24. The one or more non-transitory computer-readable media of claim 23,wherein the first action comprises a first disposition and the secondaction comprises a second disposition that is different from the firstdisposition.
 25. The one or more non-transitory computer-readable mediaof claim 23, wherein one of the first action or the second action is toallow the first in-transit packet to proceed to the second network, andthe other of the first action or the second action is to block thesecond in-transit packet from proceeding to the second network.
 26. Theone or more non-transitory computer-readable media of claim 23, whereinthe first action comprises a first directive and the second actioncomprises a second directive that is different from the first directive.27. The one or more non-transitory computer-readable media of claim 23,wherein the instructions, when executed by the one or more processors ofthe packet-filtering appliance, cause the applying the first action tothe first in-transit packet to be: performed before the receiving thesecond in-transit packet; completed before the receiving the secondin-transit packet; or completed after the receiving the secondin-transit packet and before completing the applying the second actionto the second in-transit packet.
 28. The one or more non-transitorycomputer-readable media of claim 23, wherein the instructions, whenexecuted by the one or more processors of the packet-filteringappliance, cause the determining the first threat context information bydetermining the first threat context information based on an observationtime of the first in-transit packet.
 29. The one or more non-transitorycomputer-readable media of claim 23, wherein the instructions, whenexecuted by the one or more processors of the packet-filteringappliance, cause the determining the first threat context information bydetermining the first threat context information based on whether thefirst in-transit packet is a member of an attack that is active at atime that the first in-transit packet is received by thepacket-filtering appliance.
 30. The one or more non-transitorycomputer-readable media of claim 23, wherein the instructions, whenexecuted by the one or more processors of the packet-filteringappliance, cause the determining the first threat context information bydetermining the first threat context information based on whether thefirst in-transit packet is a member of a multi-packet multi-flow attackthat is active at a time that the first in-transit packet is received bythe packet-filtering appliance.